Next Article in Journal
Residential Sizing of Solar Photovoltaic Systems and Heat Pumps for Net Zero Sustainable Thermal Building Energy
Previous Article in Journal
Large-Eddy Simulations of a Supersonic Impinging Jet Using OpenFOAM
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Syrga2: Post-Quantum Hash-Based Signature Scheme

1
Information Security Laboratory, Institute of Information and Computational Technologies, Almaty 050010, Kazakhstan
2
Institute of Automation and Information Technologies, Satbayev University, Almaty 050013, Kazakhstan
*
Author to whom correspondence should be addressed.
Computation 2024, 12(6), 125; https://doi.org/10.3390/computation12060125
Submission received: 6 May 2024 / Revised: 10 June 2024 / Accepted: 13 June 2024 / Published: 15 June 2024
(This article belongs to the Section Computational Engineering)

Abstract

:
This paper proposes a new post-quantum signature scheme, Syrga2, based on hash functions. As known, existing post-quantum algorithms are classified based on their structures. The proposed Syrga2 scheme belongs to the class of multi-use signatures with state retention. A distinctive feature of state-retaining signatures is achieving a compromise between performance and signature size. This scheme enables the creation of a secure signature for r messages using a single pair of secret and public keys. The strength of signature algorithms based on hash functions depends on the properties of the hash function used in their structure. Additionally, for such algorithms, it is possible to specify the security level precisely. In the proposed scheme, the HBC-256 algorithm developed at the Institute of Information and Computational Technologies (IICT) is used as the hash function. The security of the HBC-256 algorithm has been thoroughly studied in other works by the authors. In contrast to the Syrga1 scheme presented in previous works by the authors, the Syrga2 scheme provides for the definition of different security levels determined by the parameter τ. This paper experimentally demonstrates the impossibility of breaking the proposed scheme using a chosen-plaintext attack. Additionally, the scheme’s performance is evaluated for signature creation, signing, and message verification.

1. Introduction

Thanks to the continuous development of quantum computing, quantum communication, quantum cryptography, etc., quantum technologies have attracted the attention of the scientific and technical community in recent years and have become the subject of increased interest. Progress in research in the field of quantum technologies allows them to become more mature. While classical computers operate on binary codes, quantum computers use qubits to encode data. A qubit is a superposition of all intermediate states, allowing it to represent zero, one, or their linear combination. Thus, the application of quantum mechanics to computations allows a quantum computer to perform calculations much faster compared to a traditional computer. Quantum computers have high processing speed and the ability to solve specific tasks, which attracts the attention of many scientists and technical research organizations and contributes to their rapid development. In October 2019, Google announced the completion of a 53-qubit quantum computer. In November 2022, IBM announced the successful implementation of the Osprey quantum processor, capable of processing 433 qubits, and plans to release a processor with a memory volume of 4158 qubits in 2025 [1,2].
Quantum computers have brought about Shor’s algorithm and Grover’s algorithm, which impact the resilience of today’s cryptographic algorithms. The most widely used asymmetric encryption algorithms like RSA, DSA, and others are becoming less secure and can be cracked in polynomial time, dependent on the size of the public key. This holds true for any asymmetric encryption algorithms whose security relies on the complexity of solving mathematical problems such as factoring numbers (decomposing a number into prime factors) and discrete logarithms in a finite field or on a set of points on an elliptic curve [3]. In other words, all commonly used asymmetric encryption algorithms need to be replaced with algorithms whose security is based on the difficulty of solving other mathematical problems. For instance, RSA is a widely used public-key encryption system that underpins applications like web browsers and digital signature software [4].
Currently, there is a rivalry between quantum computing and classical cryptography. Classical cryptography safeguards the internet, blockchain ledgers, communication channels, and many other systems. Post-quantum cryptography aims to develop encryption algorithms resistant to attacks using algorithms on future quantum computers [5].
The fundamental differences between post-quantum cryptography methods and traditional ones lie in aspects such as mathematical foundations, resistance to attacks, key sizes, and performance, as well as their practical application.
In recent years, attacks on quantum key distribution (QKD) systems have been actively researched, and countermeasures have been proposed. Research results indicate that QKD systems have vulnerabilities not only in their protocols but also in other critical components of the systems [6,7].
The implications of the emergence of quantum computers for symmetric encryption algorithms and hash functions are not as critical. The cryptographic strength of any symmetric encryption algorithm and hash function when using a quantum computer is equivalent to the cryptographic strength of the same algorithm when using a classical computer, but with the encryption key or hash code length doubled [8]. In other words, for symmetric encryption algorithms and hashing, one can simply double the length of the key or hash code to achieve the same cryptographic strength without changing the cryptographic algorithm. Increasing the length of the key or hash code will lead to increased encryption time. However, this is a natural progression: as computer performance and quantity grow, computational resources for attacks also increase. To defend against them, it is necessary to increase the size of the symmetric key or hash code.
In 2017, the National Institute of Standards and Technology (NIST) of the United States organized an open international competition for submissions and discussions on standardizing post-quantum cryptographic schemes. On 30 January 2019, NIST published a list of 26 candidate algorithms that had advanced to the second round of the competition. In July 2022, the third round of the NIST competition concluded, and the final list of algorithms for standardization in the United States was announced. Among the selected algorithms were the CRYSTALS-Dilithium, Falcon, SPHINCS+, digital signature schemes, and the CRYSTALS-Kyber key exchange scheme [9,10].
In July 2023, NIST published a list of digital signature schemes admitted to participating in the competition for an additional quantum-resistant standard. The list included 40 schemes out of 50 submitted ones, based on various synthesis principles, including lattice-based problems, coding, hash functions, and others. The main reason for conducting an additional round was the fact that the most efficient schemes-winners of the main stage (CRYSTALS-Dilithium, Falcon) are based on lattice-based problems, while the third finalist—SPHINCS—lags behind them in terms of performance. As of August 2023, several schemes from the new list have already demonstrated sufficiently effective attacks [11].
Hash-based cryptography creates signature algorithms whose security is mathematically based on the security of the chosen cryptographic hash function. For instance, SHA-2 is considered secure against attacks from the most powerful modern supercomputers and is also deemed quantum-safe. This implies that a hash-based signature algorithm using SHA-2 is essentially as secure as SHA-2 itself. Hash-based cryptography was initially developed by Lamport and Merkle in the late 1970s. Since the publication of the original Merkle scheme, hash-based algorithms have become more efficient [12].

2. A Brief Review of Existing Hash-Based Signature (HBS) Post-Quantum Signature Schemes

The concept of designing an electronic digital signature based on hash functions emerged in 1979 in the work of the American scientist Lamport [13]. When creating a signature using a pseudo-random number generator (PRNG), 256 pairs of random 256-bit numbers  a i , b i , i = 0 , 255 ¯ , are generated, which are considered the secret key of the system. By hashing the pairs of numbers  a i , b i , corresponding pairs of public keys  a i , b i , i = 0 , 255 ¯ , are created. In general, in this scheme, any cryptographically secure one-way function H can also be applied.
One of the well-known one-time signature schemes (OTS), used in many modern post-quantum signatures, is the Winternitz OTS (WOTS) scheme [14]. In the construction of a signature in the WOTS scheme, a sequence of secret keys  S K = S K 0 , S K 1 , , S K m / w  is first generated using a random number generator (RNG). Then, a sequence of public keys  P K = P K 0 , P K 1 , , P K m / w  is generated using the hash function H applied  2 w 1  times.
The WOTS scheme has several variations. One of them is the WOTS+ scheme, incorporated into the structure of the SPHINCS+ algorithm, which was presented in the NIST competition and selected after three rounds. The advantage of using a chain function in the WOTS+ scheme is that the high collision resistance of the hash function used in it is not a mandatory condition.
Nevertheless, since the mentioned schemes belong to the group of one-time signatures, it is necessary to carefully manage the keys when generating signatures for multiple messages. Therefore, in addition to them, schemes with few-time signatures (FTS) are also being developed. Among the most popular of these schemes is the HORS (Hash to Obtain Random Subset) scheme [15].
Several modifications of the HORS scheme have also been developed, such as HORSIC and HORSIC+. HORSIC employs a bijective function to transform all k parts into numerical values. Besides, a method for reducing the signature size is considered. In HORSIC+, the same chaining function as in the WOTS+ scheme is used to enhance security, but with the consideration of being resistant to chosen message attacks [16].
The drawback of the aforementioned schemes is that in some, a key cannot be used more than once, while in others, the level of security continues to decrease upon reusing the same key. To address these limitations, it is recommended to use a Merkle tree (binary hash tree). When constructing a binary tree, a single overall hash value, called the Merkle root, covering all data parts is computed. By using a single public key and a Merkle tree of height n, it is possible to create a common signature for  2 n  messages [17].
Using the Merkle tree to manage keys of the WOTS+ scheme, a new scheme called XMSS (eXtended Merkle Signature Scheme) was created. In XMSS, the root of the Merkle tree is taken as the public key, and each leaf is the Merkle root from the set of WOTS+ public keys. Such a tree is also called an “L-tree”. To sign a message M, a leaf of the tree that has not been used before is selected, and it uses secret keys to generate a WOTS+ signature.
In addition to the schemes mentioned above, there are several other ways to create HBS. Among them, it is worth noting the SPHINCS+ digital signature scheme, which was selected as a result of the NIST competition. In this scheme, there is also no need to track the state [18]. One of the early versions of the SPHINCS+ algorithm, the SPHINCS algorithm, was developed using HORS-T and WOTS+ schemes, and to compute the root of the Merkle tree, keys need to be pre-generated. In the SPHINCS algorithm, by using a hypertree and a random string key address scheme, it was possible to manage multiple keys without computing all the leaves of the tree.
The SPHINCS+ algorithm, when signing a message, uses an enhanced version of HORS called the Forest of Random Subsets (FORS) scheme and a tunable hash function for security. In FORS, k binary trees of height n are considered. Since each tree contains  t = 2 n  secret keys, the total number of keys will be  k × t . The roots of these trees are hashed together to form the FORS root.
In this section, brief descriptions of signature schemes Lamport, WOTS, WOTS+, HORS, and some others are provided. In general, algorithms based on post-quantum hash functions can be divided into two groups: stateful and stateless. Figure 1 shows schemes developed to date, grouped by structures.
There is every reason to believe that hash-based cryptography will remain one of the priority directions in post-quantum cryptography. Algorithms in this field will rely solely on cryptographically secure hash functions for generating and verifying digital signatures.

3. Materials and Methods

Currently, there are several cryptographic signature schemes constructed based on hash functions. The security of such constructions cannot be proven based on any assumptions or properties of the considered hash function regarding collision resistance and message preimage recovery. However, it is not ruled out that some robust constructions may be less efficient than other approaches whose security has not yet been proven [19].
A balanced approach between strict security proof and complete lack of proof, which has proven successful in practice and passed experimental tests, is the adoption of an idealized model capable of demonstrating the security of cryptographic schemes. Among such approaches, the most popular is the random oracle model [20].
The random oracle model treats cryptographic hash functions as truly random functions. This model assumes the existence of a common random function H, which can only be defined by “queries” to the oracle, and can be viewed as a “black box” that, for each unique query x, provides a random response H(x) uniformly distributed from its output space. Additionally, if a query is repeated multiple times, the oracle always returns the same response.
To describe the formal model of security, let’s introduce definitions and concepts related to digital signature schemes.
Definition 1.
A quantity given by a function  e ( λ )  of some parameter λ, is called negligible if for all  c > 0 , K > 0 : λ K   e ( λ ) < λ c .
Definition 2.
Let  M  be the message space. A digital signature scheme  Σ = ( K g ( ) ,   S i g n ( ) ,   V f ( ) )  consists of a triple of probabilistic polynomial-time algorithms:
  • The algorithm  K g 1 n  , given the security parameter  1 n outputs a signature key (private key) SK and a verification key (public key)   P K ;
  • The algorithm   S i g n ( S K , M )  outputs the signature   σ  of the message     M M  using the key   S K ;
  • The algorithm  V f ( P K , M ,   σ )  outputs 1, if  σ  is a valid signature, i.e.,  V f ( P K , M ,   S i g n ( S K , M ) ) = 1 .
The security of a digital signature scheme means that an adversary cannot create a forgery even if they have access to signatures on many messages of their choice. Security is defined using the following experiment for an adversary 𝒜 and a parameter  n :
Experiment with signature  S i g A , Σ U F C M A ( n ) .
  • Execute  K g ( 1 n )  to obtain the keys  P K , S K .
  • Adversary 𝒜 is given the public key  P K  and access to the oracle  S i g n ( S K , M )  for any message  M  of their choice. The adversary returns  ( M ; σ ) .
  • The result of the experiment is 1 if  V f M ; σ = 1  for  M M , where  M  is the set of messages for which signatures were requested by 𝒜.
Definition 3.
A digital signature scheme  Σ = ( K g ( ) ,   S i g n ( ) ,   V f ( ) )  possesses the property of existential unforgeability under an adaptive chosen-message attack (UF-CMA) if, for all polynomial-time probabilistic adversaries 𝒜, there exists a negligible function  n e g l , such that:
P r [ S i g A , Σ U F C M A ( n ) = 1 ]   n e g l ( n ) .
Let  n N  be the security parameter and let  F n = f k :   0,1 n 0,1 n |   k K  be a family of functions. The elements of  K  a called key, and each key  k  defines a specific function  f k  in the family  F n .
A function is pre-image resistant (or one-way) if it is easy to compute but hard to invert. The success probability of an adversary against the pre-image resistance of  F n  is given by:
P r [ S i g A , Σ O W ( n ) = 1 ] = P r k $ K ; x $ 0,1 n ; y f k ( x ) ; x $ A k , y : y = f k x .
Definition 4.
A family of functions  F n  is called pre-image resistant or one-way (OW) if, for all probabilistic polynomial-time adversaries 𝒜, there exists a negligible function  n e g l , such that:
P r S i g A , Σ O W n = 1 n e g l n .
Second-preimage resistance (HBS) refers to the difficulty of finding a second message with the same hash value for a given message with a known hash value, denoted as  S i g A , Σ S P R ( n ) .
Definition 5.
A family of functions  F n  is considered second-preimage resistant if the success probability of any polynomial-time adversary  A  is negligible:
P r [ S i g A , Σ S P R ( n ) = 1 ] n e g l ( n ) .
Regarding collisions in the context of hash function  F , it refers to the situation where the hash values of two different inputs  a  and  b  are the same, i.e.,  F   ( a ) = F   ( b )  for  a     b . Since the number of possible plaintexts is greater than the number of possible hash values, there are inevitably multiple preimages for some hash values. Hash functions for which finding collisions is a challenging task are called collision-resistant functions.
Definition 6.
A family of functions  F n  is considered collision-resistant if, for all polynomial-time adversaries 𝒜, there exists a negligible function  n e g l , such that:
P r [ S i g A , Σ C o l l ( n ) = 1 ] n e g l ( n ) .

4. Results

4.1. Description of the Post-Quantum Digital Signature Algorithm Syrga2

Increasing the number of qubits in quantum computing is an important area of research as it contributes to the development of more powerful quantum computers and opens up new possibilities for solving complex cryptographic problems that cannot be addressed by classical computers. Thus, post-quantum cryptography aims to create algorithms that can ensure security in a world with quantum computers, making it critically important for communication and data security.
The proposed algorithm Syrga2 in its structure and operation is similar to the post-quantum digital signature algorithm Syrga1 and is considered its modified version [21]. Syrga2 is a hash-based signature scheme, representing a stateful digital signature scheme. The preservation of the state is managed by a parameter or counter q, which is updated for each new signature created to prevent the reuse of the same key pair. The difference from Syrga1 lies in the method of forming a sequence of components of secret keys for signing a specific message. In Syrga2, there is no repetition of identical components of secret keys in the obtained sequence of values. The formed sequence, consisting of elements in a specific quantity, can be considered as a permutation or arrangement without repetitions in the sequence (set) of secret keys. The method of obtaining this sequence from non-repeating components of secret keys is presented below.
The scientific novelty of the proposed algorithm lies in the ability to obtain a set of intermediate secret keys by iteratively hashing the original set of secret keys r times. These intermediate keys enable the signing of r messages with one-time keys. An advantage of the algorithm is its relatively small signature size and implementation time, attributed to the absence of authentication paths characteristic of some algorithms using Merkle trees. Another feature of Syrga2 is the possibility to adjust the parameter  τ  to enhance its security level. The choice of  τ  is independent of the hash code length, allowing the use of any other hash function.
Like all other signature algorithms, the Syrga2  D S S S y r g a 2  scheme consists of a trio of probabilistic polynomial-time algorithms:  K g S y r g a 2 ( )  for key generation,  S i g n S y r g a 2 ( )  for message signing, and  V f S y r g a 2 ( )  for signature verification. In the  D S S S y r g a 2 M  is regarded as the message space.

4.2. Key Generation Algorithm

The  K g S y r g a 2 ( 1 n )  algorithm, when given the security parameter  1 n , generates the private signing key  S K  and the public verification key  P K . To generate  S K , any pseudo-random number generator (PRG), denoted as G, can be used. G transforms random input of shorter length into longer n-bit pseudo-random output:  G : 0 , 1 * 0 , 1 t n ,  where  n , t N . The result of the function G is uniformly divided into t parts to define  S K = s k 0 , s k 1 , s k 2 , , s k t 1 . To obtain the public key, a cryptographically secure hash function  H 0 : 0 , 1 n 0 , 1 n  is utilized. The public key  P K = p k 0 , p k 1 , p k 2 , , p k t 1  of the  D S S S y r g a 2  scheme is considered the result of r-fold hashing of  S K , i.e.,  P K = H 0 ( r ) S K  or  p k i = H 0 ( r ) s k i , where  i = 0 , , t 1 . For the Syrga2 scheme, security parameters and other initial parameters are defined as follows:  n = 256 t = 256  and  r = 1024 . Consequently, the length of each  s k i  and  p k i  is 256 bits.
In the next step of key construction, a pair of secret and public keys for signing a specific message  M q  is defined, where  1 q t . It is noteworthy that the presented  D S S S y r g a 2  scheme using the composed key pair  K G : S K ; P K  allows for the one-time signing of  r  messages. Figure 2 illustrates how the secret keys generated by PRG after the qth hashing iteration produce intermediate secret keys  S K q = s k 0 ( q ) , s k 1 ( q ) , s k 2 ( q ) , , s k t 1 ( q ) , where  1 q t  (here, the index  q  implies the order of hashing). Thus, the pairs  K G : S K q ; P K , formed with intermediate secret keys and common public keys, enable the signing of q messages. Since the intermediate keys  S K q  are used only once, the scheme ensures a high level of security.
Below is the pseudocode (Algorithm 1) for the key generation algorithm described above.
Algorithm 1: Key Generation of Syrga2 (KgSyrga2(PRG(initial parameters)))
System parameters: Parameters  t r
Output: Secret key  S K = s k 0 , s k 1 , s k 2 , , s k t 1  and public key  P K = p k 0 , p k 1 , p k 2 , , p k t 1
1: for  i = 0  to  t 1  do
2:    Compute  s k i P R G ( i p i ) 0,1 256
3:   p k i s k i
4:    for  j = 1  to  1024  do
5:     Compute  p k i 0 ,   1 256 H 0 ( p k i )
6: return  S K ,   P K  

4.3. Message Signing Algorithm

The  S i g n S y r g a 2 ( S K q , M q , τ , q )  algorithm takes as input the intermediate secret key  S K q , the message to be signed  M q M , where  τ  is the number of elements in the permutation table  P , and the ordinal number  q N . The output is the signature  σ  for the message  M q . The message signing process proceeds as follows. Let  M q  be a given message, where  q 1 , r .  Set  h 0 = M q  and  c t r = 0 , c t r Z . Depending on the desired security level, the parameter  τ  takes one of the following values: 32, 64, 128, 256.
(1)
Compute the hash value  h = H 1 h 0 H 1 : 0 , 1 256 0 , 1 256 .
(2)
Divide the hash value  h  into 32 parts  h 1 , h 2 , , h 32 , each of length  log 2 256 = 8  bits.
(3)
Interpret each  h j  as an integer  i j 0 , 255 j = 1 , , 32 .
(4)
Form a set of integers  P = p 0 , p 1 , p 2 , , p s  from non-repeating  p j , which are sequentially added to the end of the set  P , where  j = 1 , , 32 . Here,  p j p k  for  j , k = 1 , , 32 j k .
(5)
If  s < τ , then, assuming  c t r = c t r + 1  and  h 0 = h c t r , perform the actions listed in steps 1–5.
(6)
Generate a permutation table  P = p 0 , p 1 , p 2 , , p τ 1 , p j p k j , k = 0 , , τ 1 j k .
(7)
According to the permutation table  P , compute  σ j = H 0 ( r q ) s k p j j = 0 , , τ 1 .  Thus,  σ = σ 0 , σ 2 , , σ τ 1 .
(8)
Form the signature  Σ = M q , q , σ , τ  and send  Σ  to the recipient.
Figure 3 illustrates the signature formation process for a given message  M q  using  s k p 1 ( q ) , s k p 2 ( q ) , s k p 3 ( q ) , , s k p τ ( q ) , selected from the intermediate secret key  S K q = s k 0 ( q ) , s k 1 ( q ) , s k 2 ( q ) , , s k t 1 ( q ) .
Below is the pseudocode (Algorithm 2) for the message signing algorithm.
Algorithm 2: Message Signing of Syrga2 (SignSyrga2( S K , M q , q ))
System parameters: Parameters  t r
Input: Secret key  S K q  and message  M q τ
Output: Signature  Σ = M q , q , σ
Install:  P = s = 0 c t r = 0
1:   Set  h 0 M q
2:   Compute  h 0 ,   1 256 H 1 h 0
3:   Split  h h 1 , h 2 , ,   h 32 0 ,   1 8 h
4:   for  j = 1  to  32  do
5:    Represent  h j  as Byte:  i j C o n v e r t . T o B y t e ( h j )
6:   for  j = 1  to  32  do
7:     if  i j P   t h e n   i j   s e t     t o   e n d   o f   P s = s ++
8:   if  s < τ  then  c t r = c t r + 1 ,     h 0 = h c t r  goto 2:
9:   for  j = 1  to  τ  do
10:       σ j s k p j
11:     for  s = 1  to  r q  do
12:       σ j 0 ,   1 256 H 1 σ j
13:    σ σ 1 , σ 2 , ,   σ τ
14:   return Signature  Σ  

4.4. Message Signature Verification Algorithm

The  V f S y r g a 2 ( P K , Σ )  algorithm verifies the authenticity of the message signature  M q : P K , S K q K g S y r g a 2 1 n , M q M : V f S y r g a 2 P K , S i g n S y r g a 2 Σ , M q = 1 . The algorithm assumes that the recipient has a set of public keys  P K  and is aware of the hashing algorithm  H 1 : 0 , 1 256 0 , 1 256 . The  V f S y r g a 2 ( P K , Σ )  algorithm operates as follows:
(1)
Accept a signature  Σ = M q , q , σ , τ  and set the values  h 0 = M q  and  c t r = 0 , c t r Z .
(2)
Compute the hash value  h = H 1 h 0 .
(3)
Divide the hash value  h  into 32 parts  h 1 , h 2 , , h 32 , each of length  log 2 256 = 8  bits.
(4)
Interpret each  h j  as an integer  i j 0 , 255 j = 1 , , 32 .
(5)
Form a set of integers  P = p 0 , p 1 , p 2 , , p s  from non-repeating  p j , which are sequentially added to the end of the set  P j = 1 , , 32 . Here,  p j p k j , k = 1 , , 32 j k .
(6)
If  s < τ , then assuming  c t r = c t r + 1  and  h 0 = h c t r , perform the actions listed in steps 2–6.
(7)
Generate a permutation table  P = p 0 , p 1 , p 2 , , p τ 1 , p j p k j , k = 0 , , τ 1 j k .
(8)
Compute  σ j = H 0 ( q ) σ j j = 0 , , τ 1 .
(9)
Check the following condition: if for all  σ j  it holds true that  σ j = p k p j , then assert that the signature is true; otherwise, it is not true, where  j = 0 , , τ 1 .
Note: If in step (4) of the message signing algorithm and in step (5) of the message signature verification algorithm, after processing the data in the last cycle,  s τ , then  p τ  and subsequent values in the  P  table are not considered.
Below is the pseudocode (Algorithm 3) for the signature verification algorithm described above.
Algorithm 3: Signature Verification of Syrga2 (VfSyrga2( P K , Σ ))
System parameters: Parameters  t r
Input: Public key  P K  and signature  Σ = M q , q , σ
Output: “accept” or “reject”
Install:  P = s = 0 c t r = 0
1:   Set  h 0 M q
2:   Compute  h 0 ,   1 256 H 1 h 0
3:   Split  h h 1 , h 2 , ,   h 32 0 ,   1 8 h
4:   for  j = 1  to  32  do
5:  Represent  h j  as Byte:  i j C o n v e r t . T o B y t e ( h j )
6:   for  j = 1  to  32  do
7:      if  i j P   t h e n   i j   s e t     t o   e n d   o f   P s = s ++
8:   if  s < τ  then  c t r = c t r + 1 ,   h 0 = h c t r  goto 2:
9:   for  j = 1  to  τ  do
10:     σ j σ j
11:    for  l = 1  to  q  do
12:      σ j 0 ,   1 256 H 1 σ j
13:    σ σ 1 , σ 2 , ,   σ τ .
14:   for  j = 1  to  τ  do
15:     if  σ j p k i j  then
16:       return “reject”
17:   return “accept”

5. Discussion

5.1. Security Analysis of Syrga2

It is known that the signature  σ 1 , σ 2 , , σ τ  is obtained from the hash values of the keys  s k 1 , s k 2 , , s k t . Since the Syrga2 scheme belongs to the class with state tracking (via the parameter q), the attacker cannot create a false signature. However, it is necessary to assess the security level of the Syrga2 scheme in case the user inadvertently reuses the parameter q multiple times. Let z denote the number of instances where the parameter q has been inadvertently reused, resulting in the attacker gaining knowledge of some key values.
Theorem 1.
Let  F n = f k :   0,1 n 0,1 n |   k K    be a family of one-way functions resistant to second preimage attacks and undetectable, and  H  be a cryptographic hash function in the random oracle model. Then the insecurity of Syrga2 against UF-CMA attack is bounded by the probability:
P r S i g A , Σ U F C M A S y r g a 2 1 n , t , τ max t τ · τ z · t τ τ z ,   q · m a x Pr S i g A , Σ O W n = 1 , Pr S i g A , Σ S P R n = 1
Proof of Theorem 1.
The proof follows a similar approach to that of Theorem 1 presented in [16,22]. Therefore, a full proof is not provided here; instead, only the proof idea is outlined. The proof relies on contradiction, assuming that the adversary  A  can forge a signature for  S y r g a 2 1 n , t , τ , by mounting an attack based on a selected plaintext with success probability:
e A = P r S i g A , Σ U F C M A S y r g a 2 1 n , t , τ .
 □
The next step involves constructing an oracle machine  M A , which breaks OW or SPR, using the adversary  A ’s algorithm. The pseudocode description of the oracle machine  M A  is provided in Algorithm 4.
Nobody claims that a random oracle exists, although there have been conjectures that a random oracle could be implemented in practice using a trusted party. Rather, the random oracle model provides a formal methodology that can be used for the development and verification of cryptographic schemes using the following two-stage approach:
First, a scheme is developed and its security is proven in the random oracle model. That is, we assume that there exists a random oracle in the world, and we build and analyze the cryptographic scheme within this model. Standard cryptographic assumptions that we have seen so far can also be used in proving security.
When we want to implement the scheme in the real world, the random oracle is unavailable. Instead, the random oracle is created using an appropriately designed cryptographic hash function  H ^ . That is, at each point where the scheme dictates that a party should request the value of H(x), from the oracle, the party instead computes  H ^ ( x )  itself.
Algorithm 4:  M A
Input: Security parameter n,  q τ , M q ,
one-way challenge  y c  and second preimage resistance challenge  x c
Output: A value x that is either a preimage  y c  or a second preimage of  x c  under  H 1  or “Fail”
1:  Generate Syrga2 key pair:  S K , P K =  KgSyrga2()
2:  Choose  α $ 1 , , τ  and  β $ 1 , , q  uniformly at random
3:  Choose  γ $ β + 1 , , q 1  uniformly at random
4:  Obtain  P K  by setting  P K i = H 1 ( q i ) S K ( 0 )  for all  i 1 , τ i α  and  P K α = H 1 ( q β ) y c
5:  Run  A S i g n ( S K , · ) P K
6:  if  A S i g n ( S K , · ) P K  queries Sign with  M q  then
(6a) Generate  P = p 0 , p 1 , p 2 , , p τ 1 , p j p k j , k = 0 , , τ 1 j k .
(6b) if  p α < β  then return “Fail”
(6c) Generate signature  σ  of M:
   (6c.1) Compute:  σ = σ 1 , σ 2 , , σ τ  (SignSyrga2( S K , M q , q ))
   (6c.2) Set  σ α = H 1 p α β y c
(6d) Reply to query using  σ
7:  if  A S i g n ( S K , · ) P K  returns valid  σ , M q  then
(7a) Generate  P = p 0 , p 1 , p 2 p τ 1 , p j p k j , k = 0 , , τ 1 j k .
(7b) if  p β  then return “Fail”
(7c) if  β = q 1
  (c.1) return preimage  H 1 q 1 p 1 σ α
(7d) else
  (7d.1) if  H 1 β p σ α = y c  then
      return preimage  H 1 β p 1 σ α
  (7d.2) else if  x = H 1 γ p 1 σ α x c  and  H 1 γ p σ α = H 1 γ β y c
              then return the second preimage  x
8:  In any other case return “Fail”
The idea of Algorithm 4 is as follows. First, a key pair  S K , P K  of the Syrga2 scheme is generated, and then challenges are introduced for one-wayness (OW) at position β and for second preimage resistance (SPR) at position γ based on index α, resulting in the computation of  P K . Subsequently, the modified public key  P K  is forwarded to  A . The adversary can request the signature of a message M. If the computed value  p  during the evaluation of M satisfies the condition  p < β , then signature generation is unsuccessful, and the algorithm terminates. Otherwise, using the modified public key  P K , a signature σ is computed and passed to  A . Consequently, a forged pair ( M , σ ) . is created. If this forged signature  σ  is valid for signing  M , it confirms the existence of a solution to one of the issues related to  σ . Otherwise,  M A  returns “Fail”, indicating the failure to find a preimage and collision.
Using the assumptions of one-wayness and second preimage resistance of  F n , it is possible to estimate the success probability of  A , when  M A  is invoked:
e A max 1 / t τ · τ z · t τ τ z ,     q · m a x Pr S i g A , Σ O W n = 1 , Pr S i g A , Σ S P R n = 1 .

5.2. Security Level and Performance Evaluation of the Scheme

Since no cryptographic system is immune to all attacks, it is proposed to assess its security level. This is a challenging task, and one common subjective approach for such assessment is using the concept of “bit security”—b. The assessment of security bits takes into account all known general attacks on the mathematical problem and cryptographic scheme [23]. Bit security bridges asymptotic and concrete modes of evaluating the security of cryptographic schemes. Whereas the asymptotic approach does not provide any guidance on concrete parameter selection, bit security helps us choose an appropriate set of parameters to guarantee a certain level of security when deploying cryptographic schemes [24]. The objectivity of assessing the security level of a scheme largely depends on the fundamental building blocks and primitives of the scheme itself. It is considered that a cryptographic system has a security level of b if it can be expected that approximately  O 2 b  operations will be required for a successful attack on it [25].
Given Theorem 1, it is possible to compute the security level of Syrga2. This allows for comparing its security with that of other post-quantum digital signature schemes.
P r S i g A , Σ U F C M A S y r g a 2 1 n , t , τ 1 / t τ · τ z · t τ τ z
So, for a security level of b, we obtain:
b l o g t τ · τ z · t τ τ z = l o g t ! z ! τ z ! 2 t + z 2 τ !
Table 1 displays the security level of Syrga2 for different values of the parameter  τ  alongside other post-quantum signature schemes, and includes the calculation formula. Figure 4 showcases the security level of Syrga2 for various  τ  options.
In Figure 4, the dynamics of the security level b are illustrated as a function of the parameter z. It has been experimentally determined that as  z  increases, in all considered instances of  τ  ( τ = 32 , 64 , 96 , 128 ), the security of the scheme decreases.
The number of keys that became known to the adversary due to the reuse of the parameter q is denoted as z. However, it is worth noting that even with the maximum value of z, when  z = τ , the scheme still provides the required level of security.
Table A1 in Appendix A presents the input parameters, including the parameter  z , which ranges from 16 to 32 with a step of 4, along with their corresponding security level values. The parameter  z  characterizes the number of compromised secret keys when the same  q  is reused erroneously. The value of the parameter  q  cannot exceed the value of the parameter  τ , i.e., the number of intermediate secret keys selected for signing the message  τ , i.e., the number of intermediate secret keys selected for signing the message M.

5.3. Performance Evaluation of Syrga2

In this subsection, the efficiency of Syrga2 is analyzed using the HBC-256 and HAS01 hash functions developed at the IICT [26,27,28]. Software was implemented in the C++ programming language using the Microsoft Visual Studio integrated development environment for an objective performance evaluation. The characteristics of the PC used for the study are as follows: operating system—Windows 10 Pro (version 22H2), system type—64-bit operating system, processor—Intel(R) Core(TM) i5-7500T CPU @ 2.70 GHz, RAM—8.00 GB.
The results of the program’s operation with various input parameters are presented in Table 2 and Table 3. The size of the original file for signing is 30 bytes. The file was chosen to be small because the main goal of the research was to test the operation of the post-quantum algorithm for signature generation and verification. It is important to note the generation of the P-box separately. The P-box is dynamically generated in the program based on the hash values of the message M. Using the obtained values of the P-box and the private keys, a signature is formed.
Analysis of the values obtained in Table 2 and Table 3 shows that the execution time of the  K g S y r g a 2 ( )  algorithm remains the same for different values of the parameter  τ , as it does not affect the key generation process. The formation of the permutation table P-box actually takes very little time, which is reflected in the tables using the comparison sign “<”. It is also worth noting that the total execution times of the  S i g n S y r g a 2 ( )  and  V f S y r g a 2 ( )  algorithms in Table 2 and Table 3 are approximately the same. For example, when  τ = 128 , the total time is 2350 + 0.01 = 2350.01 ms in Table 2 and 1177 + 1203 = 2380 ms in Table 3. Thus, it can be concluded that the overall execution time of the entire hashing process is practically independent of the value of q from which the hashing continues.
Table 4 presents a comparative analysis of the SYRGA2 scheme with other algorithms in terms of performance, key length, and signature length. For SYRGA2, parameters that showed the longest time were selected, i.e.,  q  = 512 and τ = 128.
As seen in Table 4, the most time-consuming part of the SYRGA2 algorithm is key generation, which takes about 5 s, while the other procedures collectively take about one second. Although this is slower than some of the algorithms listed in Table 4, it should be noted that the 5 s spent (to obtain a single public key) allows for the creation of a secure signature for at least 1024 messages.
If we compare SYRGA2 with SPHINCS-256 and HORS, they show better results in time parameters, but the key size is larger than that of SYRGA2. XMSS (SHA2-256), when compared with the proposed scheme, shows worse results in time parameters, but the key size is smaller than that of SYRGA2. All this depends on the individual structure of the considered schemes, the cryptographic parameters used in it, the performed optimization operations, as well as the computing resources of the computer.
One of the most promising directions in post-quantum cryptography is cryptographic systems for digital signatures based on hash functions. The resilience of hash functions is less affected by the advent of quantum computers. For example, the complexity of solving the hash function collision search problem remains within safe limits today even when the length of the hash function value is increased by one and a half times.
The proposed post-quantum digital signature scheme Syrga2 includes the HBC-256 hashing algorithm developed by the same authors. The security of Syrga2 is based on the resilience of HBC-256, where it manipulates the parameter k—the number of parts from 3 to 8 of the data to be hashed and an additional function ComF, which determines the length of the hash value. The maximum length of the hash value in HBC-256 can reach 1024 bits. Therefore, to find a collision in hash values of length 1024 bits using the “Birthday Paradox” method with a probability of 0.5,  0.83 · 2 512  messages would be required, which is not feasible for existing quantum computers.

6. Future Work

At this stage of the research, the main focus was on the development of a new digital signature scheme and ensuring its security. Therefore, special attention was given to verifying the correct functioning of the developed scheme with the capability for step-by-step monitoring of this process. Future work will involve selecting the optimal value of the parameter q, which significantly impacts the efficiency and performance of the scheme. Emphasis will be placed on optimizing the software code using cryptographic libraries. Performance evaluation will be carried out using the universal metric “cycles per byte” (CPB), which is applicable to cryptographic schemes. Furthermore, hardware implementation of the scheme is planned for the future. All these efforts require a significant amount of work for the practical application of the developed scheme. The results obtained will be reflected in the authors’ articles, which are planned to be published shortly.

7. Conclusions

Post-quantum cryptography is currently in the phase of active research and standardization and is already beginning to be implemented in real applications, even though many algorithms have not yet undergone standardization and testing procedures. Therefore, the scale of implementation of the proposed scheme will be determined based on its reliability in practice.
The main feature of the proposed Syrga2 scheme is that a single key pair  S K , P K  can be used to sign multiple messages. The potential number of messages is determined by the parameter  q , while the security level of the scheme remains unaffected. Since the proposed scheme is stateful, it is important to control this parameter. The article demonstrates how erroneously reusing the value of  q  affects the security level. In the Syrga2 scheme, the size of the signature is determined by the parameter τ and takes values of 32, 64, 96, and 128. As shown in Table 3, if signing speed is important to users, it is preferable to choose smaller values of τ, whereas if security is more important, larger values of  τ  should be chosen. The algorithms for hashing HAS01 and HBC-256, developed at IICT, were used in calculating the signature generation speed and all other measurements. The reliability of these hashing algorithms is presented in other works by the authors.

Author Contributions

Conceptualization, K.A. and K.S.; methodology, K.S. and K.S.; software, O.L.; validation, S.N.; formal analysis, S.N.; investigation, K.A. and K.S.; resources, O.L.; data curation, S.N.; writing—original draft preparation, K.S.; writing—review and editing, K.A.; visualization, O.L.; supervision, K.S.; project administration, K.A. All authors have read and agreed to the published version of the manuscript.

Funding

The research work was funded by the Ministry of Science and Higher Education of Kazakhstan and carried out within the framework of the project AP14870719 “Development and study of post-quantum cryptography algorithms based on hash functions” at the Institute of Information and Computational Technologies.

Data Availability Statement

Data are contained within the article.

Acknowledgments

The authors are grateful to all lab members of “Information security laboratory” IICT for their useful suggestions and support.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Table A1. Security level of Syrga2.
Table A1. Security level of Syrga2.
tzτ = 32τ = 64τ = 96τ = 128
25616244.4584404.2143455.2656384.3512
25620227.5899402.9182463.3294404.9993
25624205.7229399.2947469.3831422.9558
25628177.159393.4319473.5926438.5779
25632135.4192385.3417476.0656452.1154
25636 374.9718476.8711463.7504
25640 362.2028476.0496473.6189
25644 346.8333473.6186481.8238
25648 328.5446469.5752488.4434
25652 306.8236463.8971493.5364
25656 280.7777456.542497.1454
25660 248.5537447.4447499.2995
25664 203.5669436.5129500.0157
25668 423.6193499.2995
25672 408.5893497.1454
25676 391.179493.5364
25680 371.0365488.4434
25684 347.6222481.8238
25688 320.0224473.6189
25692 286.3662463.7504
25696 240.0544452.1154
256100 438.5779
256104 422.9558
256108 404.9993
256112 384.3512
256116 360.4675
256120 332.4305
256124 298.3664
256128 251.6728

References

  1. Li, S.; Chen, Y.; Chen, L.; Liao, J.; Kuang, C.; Li, K.; Liang, W.; Xiong, N. Post-Quantum Security: Opportunities and Challenges. Sensors 2023, 23, 8744. [Google Scholar] [CrossRef] [PubMed]
  2. Malygina, E.S.; Kutsenko, A.V.; Novoselov, S.A.; Kolesnikov, N.S.; Bakharev, A.O.; Khilchuk, I.S.; Shaporenko, A.S.; Tokareva, N.N. Post-Quantum Cryptosystems: Open Problems and Solutions. Lattice-Based Cryptosystems. J. Appl. Ind. Math. 2023, 17, 767–790. [Google Scholar] [CrossRef]
  3. Moldovyan, D.N.; Moldovyan, A.A.; Moldovyan, N.A. Post-quantum signature schemes for efficient hardware implementation. Microprocess. Microsyst. 2021, 80, 103487. [Google Scholar] [CrossRef]
  4. Suhail, S.; Hussain, R.; Khan, A.; Hong, C.S. On the Role of Hash-Based Signatures in Quantum-Safe Internet of Things: Current Solutions and Future Directions. IEEE Internet Things J. 2021, 8, 1–17. [Google Scholar] [CrossRef]
  5. Kumar, M. Post-quantum cryptography Algorithm’s standardization and performance analysis. Array 2022, 15, 100242. [Google Scholar] [CrossRef]
  6. Pljonkin, A.; Petrov, D.; Sabantina, L.; Dakhkilgova, K. Nonclassical Attack on a Quantum Key Distribution System. Entropy 2021, 23, 509. [Google Scholar] [CrossRef] [PubMed]
  7. Pljonkin, A. Vulnerability of the Synchronization Process in the Quantum Key Distribution System. In Research Anthology on Advancements in Quantum Technology; IGI Global: Hershey, PA, USA, 2021; pp. 345–354. [Google Scholar] [CrossRef]
  8. Palmieri, P. Hash-Based Signatures for the Internet of Things: Position Paper. In Proceedings of the 15th ACM International Conference on Computing Frontiers, Ischia, Italy, 8–10 May 2018; Association for Computing Machinery: New York, NY, USA, 2018; pp. 332–335. [Google Scholar] [CrossRef]
  9. Bernstein, D.J.; Hülsing, A.; Kolbl, S.; Niederhagen, R.; Rijneveld, J.; Schwabe, P. The SPHINCS + signature framework. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19), London, UK, 11–15 November 2019; pp. 2129–2146. [Google Scholar] [CrossRef]
  10. Iavich, M.; Avtandil, G.; Iashvili, G. Hybrid Post Quantum Crypto System. Sci. Pract. Cyber Secur. J. (SPCSJ) 2019, 2, 92–98. [Google Scholar]
  11. Buchmann, J.; Lauter, K.; Mosca, M. Postquantum Cryptography—State of the Art. IEEE Secur. Priv. 2017, 15, 12–13. [Google Scholar] [CrossRef]
  12. Nejatollahi, H.; Dutt, N.; Ray, S.; Regazzoni, F.; Banerjee, I.; Cammarota, R. Post-quantum lattice-based cryptography implementations. ACM Comput. Surv. 2022, 51, 129. [Google Scholar] [CrossRef]
  13. Hülsing, A.; Rausch, L.; Buchmann, J. Optimal Parameters for XMSSMT. In Security Engineering and Intelligence Informatics; Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L., Eds.; CD-ARES 2013. Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8128, pp. 194–208. [Google Scholar] [CrossRef]
  14. Shahid, F.; Khan, A.; Malik, S.R.; Choo, K.R. WOTS-S: A Quantum Secure Compact Signature Scheme for Distributed Ledger. Inf. Sci. 2020, 539, 229–249. [Google Scholar] [CrossRef]
  15. Cavaliere, F.; Mattsson, J.; Smeets, B. The security implications of quantum cryptography and quantum computing. Netw. Secur. 2020, 2020, 9–15. [Google Scholar] [CrossRef]
  16. Lee, J.; Park, Y. HORSIC+: An Efficient Post-Quantum Few-Time Signature Scheme. Appl. Sci. 2021, 11, 7350. [Google Scholar] [CrossRef]
  17. Iavich, M.; Kuchukhidze, T.; Bocu, R. A Post-Quantum Digital Signature Using Verkle Trees and Lattices. Symmetry 2023, 15, 2165. [Google Scholar] [CrossRef]
  18. Bernstein, D.J.; Hopwood, D.; Hülsing, A.; Lange, T.; Niederhagen, R.; Papachristodoulou, L.; Schneider, M.; Schwabe, P.; Wilcox-O’Hearn, Z. SPHINCS: Practical Stateless Hash-Based Signatures. In EUROCRYPT 2015. Lecture Notes in Computer Science; Oswald, E., Fischlin, M., Eds.; Advances in Cryptology—EUROCRYPT 2015; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9056. [Google Scholar] [CrossRef]
  19. Kudinov, M.A.; Kiktenko, E.O.; Fedorov, A.K. Security analysis of theW-OTS+ signature scheme: Updating security bounds. Math. Issues Cryptogr. 2021, 12, 129–149. [Google Scholar] [CrossRef]
  20. Katz, J.; Lindell, Y. Introduction to Modern Cryptography, 3rd ed.; Chapman & Hall/CRC: London, UK, 2020. [Google Scholar]
  21. Algazy, K.; Sakan, K.; Khompysh, A.; Dyusenbayev, D. Development of a New Post-Quantum Digital Signature Algorithm: Syrga-1. Computers 2024, 13, 26. [Google Scholar] [CrossRef]
  22. Hülsing, A. W-OTS+—Shorter Signatures for Hash-Based Signature Schemes. In Progress in Cryptology—AFRICACRYPT 2013; Youssef, A., Nitaj, A., Hassanien, A.E., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2013; Volume 7918, pp. 173–188. [Google Scholar] [CrossRef]
  23. Sjöberg, M. Post-Quantum Algorithms for Digital Signing in Public Key Infrastructures. Master’s Thesis, KTH, Stockholm, Sweden, 2017. Available online: https://www.primekey.com/wp-content/uploads/2017/08/post-quantum-algorithms-for-pki.pdf (accessed on 26 January 2024).
  24. Lee, K. Bit Security as Cost to Demonstrate Advantage. IACR Commun. Cryptol. 2024, 1, 1. [Google Scholar] [CrossRef]
  25. Contribution to the Handbook of Information. Available online: https://blkcipher.pl/assets/pdfs/NPDF-32.pdf (accessed on 6 January 2024).
  26. Algazy, K.; Sakan, K.; Kapalova, N.; Nyssanbayeva, S.; Dyusenbayev, D. Differential Analysis of a Cryptographic Hashing Algorithm HBC-256. Appl. Sci. 2022, 12, 10173. [Google Scholar] [CrossRef]
  27. Algazy, K.; Sakan, K.; Kapalova, N. Evaluation of the strength and performance of a new hashing algorithm based on a block cipher. Int. J. Electr. Comput. Eng. (IJECE) 2023, 13, 3124–3130. [Google Scholar] [CrossRef]
  28. Kapalova, N.; Dyusenbayev, D.; Sakan, K. A new hashing algorithm—HAS01: Development, cryptographic properties and inclusion in graduate studies. Glob. J. Eng. Educ. 2022, 24, 155–164. Available online: http://www.wiete.com.au/journals/GJEE/Publish/vol24no2/09-Sakan-K.pdf (accessed on 6 January 2024).
Figure 1. Classification of hash-based digital signatures.
Figure 1. Classification of hash-based digital signatures.
Computation 12 00125 g001
Figure 2. Scheme for constructing the signature private key  S K  and the verification public key  P K .
Figure 2. Scheme for constructing the signature private key  S K  and the verification public key  P K .
Computation 12 00125 g002
Figure 3. Generating the signature σ for the message  M q .
Figure 3. Generating the signature σ for the message  M q .
Computation 12 00125 g003
Figure 4. Security level of Syrga2 for various values of  τ .
Figure 4. Security level of Syrga2 for various values of  τ .
Computation 12 00125 g004
Table 1. Security level of some post-quantum signature schemes.
Table 1. Security level of some post-quantum signature schemes.
SchemesFormulasParametersSecurity Level, b
Syrga1   b = k log t / k   k = 32 , t = 256 96
Syrga2   b = l o g t ! z ! τ z ! 2 t + z 2 τ !   τ = 32 135
  τ = 64 203
  τ = 96 240
  τ = 128 251
HORS   b = k log t / k r   k = 16 , t = 2 10 , r = 1 96
W-OTS+ b = n log w 2 l + w , here
l = l 1 + l 2 ,     l 1 = m log w ,
l 2 = log l 1 w 1 log w + 1
n = 128 , w = 21 ,
m = 256
113
HORSIC+ b l o g t k z 1 ! k ! k 1 ! z k ! .   n = 256 ,   t = 2 16 ,   k = 26 ,
z = 35 ,   w = 10
353
Table 2. Time to obtain a signature for  q = 1  and  τ =  { 32 ,   64 ,   96 ,   128 } .
Table 2. Time to obtain a signature for  q = 1  and  τ =  { 32 ,   64 ,   96 ,   128 } .
Components of Syrga2 τ , Milliseconds
326496128
Key generation algorithm,  K g S y r g a 2 ( )  4755475547554755
Formation of the P-box,  P = p 0 , p 1 , p 2 , , p τ 1  ˂0.01˂0.01˂0.01˂0.01
Signing algorithm,  S i g n S y r g a 2 ( )  623121617702350
Signature verification algorithm,  V f S y r g a 2 ( )  0.010.010.020.01
Table 3. Time to obtain a signature for  q = 512  and  τ =  { 32 , 64 , 96 , 128 } .
Table 3. Time to obtain a signature for  q = 512  and  τ =  { 32 , 64 , 96 , 128 } .
Components of Syrga2 τ , Milliseconds
326496128
Key generation algorithm,  K g S y r g a 2 ( )  4755475547554755
Formation of the P-box,  P = p 0 , p 1 , p 2 , , p τ 1  ˂0.01˂0.01˂0.01˂0.01
Signing algorithm,  S i g n S y r g a 2 ( )  3016278931177
Signature verification algorithm,  V f S y r g a 2 ( )  3106099301203
Table 4. A comparative summary of the hash-based signature scheme.
Table 4. A comparative summary of the hash-based signature scheme.
SchemeTimings (ms)Sizes (KB)
Key GenerationSigningVerification Key Size Signature Size
SYRGA1 [21]
SYRGA2
4982
4755
632
1177
1296
1203
8
8
1.033
1.033
HORS [4]1710014493.1 MB1.2
SPHINCS-256 [4]12.62362730141.0
XMSS (SHA2-256) [4]
XMSS+ [4]
4540
5600
4480
106
2690
25
4.7
3.67
0.03
3.4
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Algazy, K.; Sakan, K.; Nyssanbayeva, S.; Lizunov, O. Syrga2: Post-Quantum Hash-Based Signature Scheme. Computation 2024, 12, 125. https://doi.org/10.3390/computation12060125

AMA Style

Algazy K, Sakan K, Nyssanbayeva S, Lizunov O. Syrga2: Post-Quantum Hash-Based Signature Scheme. Computation. 2024; 12(6):125. https://doi.org/10.3390/computation12060125

Chicago/Turabian Style

Algazy, Kunbolat, Kairat Sakan, Saule Nyssanbayeva, and Oleg Lizunov. 2024. "Syrga2: Post-Quantum Hash-Based Signature Scheme" Computation 12, no. 6: 125. https://doi.org/10.3390/computation12060125

APA Style

Algazy, K., Sakan, K., Nyssanbayeva, S., & Lizunov, O. (2024). Syrga2: Post-Quantum Hash-Based Signature Scheme. Computation, 12(6), 125. https://doi.org/10.3390/computation12060125

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop