Syrga2: Post-Quantum Hash-Based Signature Scheme

Abstract

This paper proposes a new post-quantum signature scheme, Syrga2, based on hash functions. As known, existing post-quantum algorithms are classified based on their structures. The proposed Syrga2 scheme belongs to the class of multi-use signatures with state retention. A distinctive feature of state-retaining signatures is achieving a compromise between performance and signature size. This scheme enables the creation of a secure signature for r messages using a single pair of secret and public keys. The strength of signature algorithms based on hash functions depends on the properties of the hash function used in their structure. Additionally, for such algorithms, it is possible to specify the security level precisely. In the proposed scheme, the HBC-256 algorithm developed at the Institute of Information and Computational Technologies (IICT) is used as the hash function. The security of the HBC-256 algorithm has been thoroughly studied in other works by the authors. In contrast to the Syrga1 scheme presented in previous works by the authors, the Syrga2 scheme provides for the definition of different security levels determined by the parameter τ. This paper experimentally demonstrates the impossibility of breaking the proposed scheme using a chosen-plaintext attack. Additionally, the scheme’s performance is evaluated for signature creation, signing, and message verification.

1. Introduction

Thanks to the continuous development of quantum computing, quantum communication, quantum cryptography, etc., quantum technologies have attracted the attention of the scientific and technical community in recent years and have become the subject of increased interest. Progress in research in the field of quantum technologies allows them to become more mature. While classical computers operate on binary codes, quantum computers use qubits to encode data. A qubit is a superposition of all intermediate states, allowing it to represent zero, one, or their linear combination. Thus, the application of quantum mechanics to computations allows a quantum computer to perform calculations much faster compared to a traditional computer. Quantum computers have high processing speed and the ability to solve specific tasks, which attracts the attention of many scientists and technical research organizations and contributes to their rapid development. In October 2019, Google announced the completion of a 53-qubit quantum computer. In November 2022, IBM announced the successful implementation of the Osprey quantum processor, capable of processing 433 qubits, and plans to release a processor with a memory volume of 4158 qubits in 2025 [1,2].

Quantum computers have brought about Shor’s algorithm and Grover’s algorithm, which impact the resilience of today’s cryptographic algorithms. The most widely used asymmetric encryption algorithms like RSA, DSA, and others are becoming less secure and can be cracked in polynomial time, dependent on the size of the public key. This holds true for any asymmetric encryption algorithms whose security relies on the complexity of solving mathematical problems such as factoring numbers (decomposing a number into prime factors) and discrete logarithms in a finite field or on a set of points on an elliptic curve [3]. In other words, all commonly used asymmetric encryption algorithms need to be replaced with algorithms whose security is based on the difficulty of solving other mathematical problems. For instance, RSA is a widely used public-key encryption system that underpins applications like web browsers and digital signature software [4].

Currently, there is a rivalry between quantum computing and classical cryptography. Classical cryptography safeguards the internet, blockchain ledgers, communication channels, and many other systems. Post-quantum cryptography aims to develop encryption algorithms resistant to attacks using algorithms on future quantum computers [5].

The fundamental differences between post-quantum cryptography methods and traditional ones lie in aspects such as mathematical foundations, resistance to attacks, key sizes, and performance, as well as their practical application.

In recent years, attacks on quantum key distribution (QKD) systems have been actively researched, and countermeasures have been proposed. Research results indicate that QKD systems have vulnerabilities not only in their protocols but also in other critical components of the systems [6,7].

The implications of the emergence of quantum computers for symmetric encryption algorithms and hash functions are not as critical. The cryptographic strength of any symmetric encryption algorithm and hash function when using a quantum computer is equivalent to the cryptographic strength of the same algorithm when using a classical computer, but with the encryption key or hash code length doubled [8]. In other words, for symmetric encryption algorithms and hashing, one can simply double the length of the key or hash code to achieve the same cryptographic strength without changing the cryptographic algorithm. Increasing the length of the key or hash code will lead to increased encryption time. However, this is a natural progression: as computer performance and quantity grow, computational resources for attacks also increase. To defend against them, it is necessary to increase the size of the symmetric key or hash code.

In 2017, the National Institute of Standards and Technology (NIST) of the United States organized an open international competition for submissions and discussions on standardizing post-quantum cryptographic schemes. On 30 January 2019, NIST published a list of 26 candidate algorithms that had advanced to the second round of the competition. In July 2022, the third round of the NIST competition concluded, and the final list of algorithms for standardization in the United States was announced. Among the selected algorithms were the CRYSTALS-Dilithium, Falcon, SPHINCS+, digital signature schemes, and the CRYSTALS-Kyber key exchange scheme [9,10].

In July 2023, NIST published a list of digital signature schemes admitted to participating in the competition for an additional quantum-resistant standard. The list included 40 schemes out of 50 submitted ones, based on various synthesis principles, including lattice-based problems, coding, hash functions, and others. The main reason for conducting an additional round was the fact that the most efficient schemes-winners of the main stage (CRYSTALS-Dilithium, Falcon) are based on lattice-based problems, while the third finalist—SPHINCS—lags behind them in terms of performance. As of August 2023, several schemes from the new list have already demonstrated sufficiently effective attacks [11].

Hash-based cryptography creates signature algorithms whose security is mathematically based on the security of the chosen cryptographic hash function. For instance, SHA-2 is considered secure against attacks from the most powerful modern supercomputers and is also deemed quantum-safe. This implies that a hash-based signature algorithm using SHA-2 is essentially as secure as SHA-2 itself. Hash-based cryptography was initially developed by Lamport and Merkle in the late 1970s. Since the publication of the original Merkle scheme, hash-based algorithms have become more efficient [12].

2. A Brief Review of Existing Hash-Based Signature (HBS) Post-Quantum Signature Schemes

The concept of designing an electronic digital signature based on hash functions emerged in 1979 in the work of the American scientist Lamport [13]. When creating a signature using a pseudo-random number generator (PRNG), 256 pairs of random 256-bit numbers $\left(a_i,b_i\right),i=\overline{0,255}$, are generated, which are considered the secret key of the system. By hashing the pairs of numbers $\left(a_i,b_i\right)$, corresponding pairs of public keys $\left(a_i^{\prime },b_i^{\prime }\right),i=\overline{0,255}$, are created. In general, in this scheme, any cryptographically secure one-way function H can also be applied.

One of the well-known one-time signature schemes (OTS), used in many modern post-quantum signatures, is the Winternitz OTS (WOTS) scheme [14]. In the construction of a signature in the WOTS scheme, a sequence of secret keys $SK=\left({SK}_0,{SK}_1,\dots ,{SK}_{m/w}\right)$ is first generated using a random number generator (RNG). Then, a sequence of public keys $PK=\left({PK}_0,{PK}_1,\dots ,{PK}_{m/w}\right)$ is generated using the hash function H applied $2^w-1$ times.

The WOTS scheme has several variations. One of them is the WOTS+ scheme, incorporated into the structure of the SPHINCS+ algorithm, which was presented in the NIST competition and selected after three rounds. The advantage of using a chain function in the WOTS+ scheme is that the high collision resistance of the hash function used in it is not a mandatory condition.

Nevertheless, since the mentioned schemes belong to the group of one-time signatures, it is necessary to carefully manage the keys when generating signatures for multiple messages. Therefore, in addition to them, schemes with few-time signatures (FTS) are also being developed. Among the most popular of these schemes is the HORS (Hash to Obtain Random Subset) scheme [15].

Several modifications of the HORS scheme have also been developed, such as HORSIC and HORSIC+. HORSIC employs a bijective function to transform all k parts into numerical values. Besides, a method for reducing the signature size is considered. In HORSIC+, the same chaining function as in the WOTS+ scheme is used to enhance security, but with the consideration of being resistant to chosen message attacks [16].

The drawback of the aforementioned schemes is that in some, a key cannot be used more than once, while in others, the level of security continues to decrease upon reusing the same key. To address these limitations, it is recommended to use a Merkle tree (binary hash tree). When constructing a binary tree, a single overall hash value, called the Merkle root, covering all data parts is computed. By using a single public key and a Merkle tree of height n, it is possible to create a common signature for $2^n$ messages [17].

Using the Merkle tree to manage keys of the WOTS+ scheme, a new scheme called XMSS (eXtended Merkle Signature Scheme) was created. In XMSS, the root of the Merkle tree is taken as the public key, and each leaf is the Merkle root from the set of WOTS+ public keys. Such a tree is also called an “L-tree”. To sign a message M, a leaf of the tree that has not been used before is selected, and it uses secret keys to generate a WOTS+ signature.

In addition to the schemes mentioned above, there are several other ways to create HBS. Among them, it is worth noting the SPHINCS+ digital signature scheme, which was selected as a result of the NIST competition. In this scheme, there is also no need to track the state [18]. One of the early versions of the SPHINCS+ algorithm, the SPHINCS algorithm, was developed using HORS-T and WOTS+ schemes, and to compute the root of the Merkle tree, keys need to be pre-generated. In the SPHINCS algorithm, by using a hypertree and a random string key address scheme, it was possible to manage multiple keys without computing all the leaves of the tree.

The SPHINCS+ algorithm, when signing a message, uses an enhanced version of HORS called the Forest of Random Subsets (FORS) scheme and a tunable hash function for security. In FORS, k binary trees of height n are considered. Since each tree contains $t=2^n$ secret keys, the total number of keys will be $k\times t$. The roots of these trees are hashed together to form the FORS root.

In this section, brief descriptions of signature schemes Lamport, WOTS, WOTS+, HORS, and some others are provided. In general, algorithms based on post-quantum hash functions can be divided into two groups: stateful and stateless. Figure 1 shows schemes developed to date, grouped by structures.

There is every reason to believe that hash-based cryptography will remain one of the priority directions in post-quantum cryptography. Algorithms in this field will rely solely on cryptographically secure hash functions for generating and verifying digital signatures.

3. Materials and Methods

Currently, there are several cryptographic signature schemes constructed based on hash functions. The security of such constructions cannot be proven based on any assumptions or properties of the considered hash function regarding collision resistance and message preimage recovery. However, it is not ruled out that some robust constructions may be less efficient than other approaches whose security has not yet been proven [19].

A balanced approach between strict security proof and complete lack of proof, which has proven successful in practice and passed experimental tests, is the adoption of an idealized model capable of demonstrating the security of cryptographic schemes. Among such approaches, the most popular is the random oracle model [20].

The random oracle model treats cryptographic hash functions as truly random functions. This model assumes the existence of a common random function H, which can only be defined by “queries” to the oracle, and can be viewed as a “black box” that, for each unique query x, provides a random response H(x) uniformly distributed from its output space. Additionally, if a query is repeated multiple times, the oracle always returns the same response.

To describe the formal model of security, let’s introduce definitions and concepts related to digital signature schemes.

Definition 1.

A quantity given by a function $e\left(\lambda \right)$ of some parameter λ, is called negligible if for all $\forall c>0,\exists K>0:\forall \lambda \ge K e\left(\lambda \right)<{\lambda }^{-c}$.

Definition 2.

Let $\mathcal{M}$ be the message space. A digital signature scheme $\Sigma =\left(Kg\right(), Sign(), Vf(\left)\right)$ consists of a triple of probabilistic polynomial-time algorithms:

• The algorithm $Kg\left(1^n\right)$  , given the security parameter $1^n$, outputs a signature key (private key) SK and a verification key (public key)  $PK$;
• The algorithm  $Sign(SK,M)$  outputs the signature  $\sigma$  of the message  $M\in \mathcal{M}$  using the key  $SK$;
• The algorithm $Vf(PK,M, \sigma )$ outputs 1, if $\sigma$ is a valid signature, i.e., $Vf(PK,M, Sign(SK,M\left)\right)=1.$

The security of a digital signature scheme means that an adversary cannot create a forgery even if they have access to signatures on many messages of their choice. Security is defined using the following experiment for an adversary 𝒜 and a parameter $n$:

Experiment with signature ${Sig}_{\mathcal{A},\mathsf{\Sigma }}^{UF-CMA}\left(n\right)$.

• Execute $\mathrm{K}\mathrm{g}\left(1^n\right)$ to obtain the keys $PK,SK$.
• Adversary 𝒜 is given the public key $PK$ and access to the oracle $\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}(SK,M)$ for any message $M$ of their choice. The adversary returns $(M;\sigma )$.
• The result of the experiment is 1 if $\mathrm{V}\mathrm{f}\left(M;\sigma \right)=1$ for $M\notin M^{\prime }$, where $M^{\prime }$ is the set of messages for which signatures were requested by 𝒜.

Definition 3.

A digital signature scheme $\Sigma =\left(Kg\right(), Sign(), Vf(\left)\right)$ possesses the property of existential unforgeability under an adaptive chosen-message attack (UF-CMA) if, for all polynomial-time probabilistic adversaries 𝒜, there exists a negligible function $negl$, such that:

$$Pr\left[{Sig}_{\mathcal{A},\Sigma }^{UF-CMA}\right(n)=1] \le negl\left(n\right).$$

(1)

Let $n\in N$ be the security parameter and let ${\mathcal{F}}_n=\left\{f_k: {\left\{\mathrm{0,1}\right\}}^n\to {\left\{\mathrm{0,1}\right\}}^n| k\in \mathcal{K}\right\}$ be a family of functions. The elements of $\mathcal{K}$ a called key, and each key $k$ defines a specific function $f_k$ in the family ${\mathcal{F}}_n$.

A function is pre-image resistant (or one-way) if it is easy to compute but hard to invert. The success probability of an adversary against the pre-image resistance of ${\mathcal{F}}_n$ is given by:

$$\mathrm{P}\mathrm{r}[{\mathrm{S}\mathrm{i}\mathrm{g}}_{\mathcal{A},\Sigma }^{OW}(n)=1]=\mathrm{P}\mathrm{r}\left[k\stackrel{\mathrm{\$}}{\leftarrow }\mathcal{K};x\stackrel{\mathrm{\$}}{\leftarrow }{\left\{\mathrm{0,1}\right\}}^n;y\leftarrow f_k(x);x^{\mathrm{\prime }}\stackrel{\mathrm{\$}}{\leftarrow }\mathcal{A}\left(k,y\right):y=f_k\left(x^{\mathrm{\prime }}\right)\right].$$

(2)

Definition 4.

A family of functions ${\mathcal{F}}_n$ is called pre-image resistant or one-way (OW) if, for all probabilistic polynomial-time adversaries 𝒜, there exists a negligible function $negl$, such that:

$$Pr\left[{Sig}_{\mathcal{A},\Sigma }^{OW}\left(n\right)=1\right]\le negl\left(n\right).$$

(3)

Second-preimage resistance (HBS) refers to the difficulty of finding a second message with the same hash value for a given message with a known hash value, denoted as ${Sig}_{\mathcal{A},\Sigma }^{SPR}\left(n\right)$.

Definition 5.

A family of functions ${\mathcal{F}}_n$ is considered second-preimage resistant if the success probability of any polynomial-time adversary $\mathcal{A}$ is negligible:

$$Pr\left[{Sig}_{\mathcal{A},\Sigma }^{SPR}\right(n)=1]\le negl\left(n\right).$$

(4)

Regarding collisions in the context of hash function $F$, it refers to the situation where the hash values of two different inputs $a$ and $b$ are the same, i.e., $F \left(a\right)=F \left(b\right)$ for $a \ne b$. Since the number of possible plaintexts is greater than the number of possible hash values, there are inevitably multiple preimages for some hash values. Hash functions for which finding collisions is a challenging task are called collision-resistant functions.

Definition 6.

A family of functions ${\mathcal{F}}_n$ is considered collision-resistant if, for all polynomial-time adversaries 𝒜, there exists a negligible function $negl$, such that:

$$Pr\left[{Sig}_{\mathcal{A},\Sigma }^{Coll}\right(n)=1]\le negl\left(n\right).$$

(5)

4. Results

4.1. Description of the Post-Quantum Digital Signature Algorithm Syrga2

Increasing the number of qubits in quantum computing is an important area of research as it contributes to the development of more powerful quantum computers and opens up new possibilities for solving complex cryptographic problems that cannot be addressed by classical computers. Thus, post-quantum cryptography aims to create algorithms that can ensure security in a world with quantum computers, making it critically important for communication and data security.

The proposed algorithm Syrga2 in its structure and operation is similar to the post-quantum digital signature algorithm Syrga1 and is considered its modified version [21]. Syrga2 is a hash-based signature scheme, representing a stateful digital signature scheme. The preservation of the state is managed by a parameter or counter q, which is updated for each new signature created to prevent the reuse of the same key pair. The difference from Syrga1 lies in the method of forming a sequence of components of secret keys for signing a specific message. In Syrga2, there is no repetition of identical components of secret keys in the obtained sequence of values. The formed sequence, consisting of elements in a specific quantity, can be considered as a permutation or arrangement without repetitions in the sequence (set) of secret keys. The method of obtaining this sequence from non-repeating components of secret keys is presented below.

The scientific novelty of the proposed algorithm lies in the ability to obtain a set of intermediate secret keys by iteratively hashing the original set of secret keys r times. These intermediate keys enable the signing of r messages with one-time keys. An advantage of the algorithm is its relatively small signature size and implementation time, attributed to the absence of authentication paths characteristic of some algorithms using Merkle trees. Another feature of Syrga2 is the possibility to adjust the parameter $\tau$ to enhance its security level. The choice of $\tau$ is independent of the hash code length, allowing the use of any other hash function.

Like all other signature algorithms, the Syrga2 ${\mathrm{D}\mathrm{S}\mathrm{S}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}-2}$ scheme consists of a trio of probabilistic polynomial-time algorithms: ${\mathrm{K}\mathrm{g}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}()$ for key generation, ${\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}()$ for message signing, and ${\mathrm{V}\mathrm{f}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}()$ for signature verification. In the ${\mathrm{D}\mathrm{S}\mathrm{S}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}$, $\mathcal{M}$ is regarded as the message space.

4.2. Key Generation Algorithm

The ${\mathrm{K}\mathrm{g}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}\left(1^n\right)$ algorithm, when given the security parameter $1^n$, generates the private signing key $SK$ and the public verification key $PK$. To generate $SK$, any pseudo-random number generator (PRG), denoted as G, can be used. G transforms random input of shorter length into longer n-bit pseudo-random output: $G:\left\{0,1\right\}*\to {\left\{0,1\right\}}^{t\ast n},$ where $n,t\in \mathbb{N}$. The result of the function G is uniformly divided into t parts to define $SK=\left({sk}_0,{sk}_1,{sk}_2,\dots ,{sk}_{t-1}\right)$. To obtain the public key, a cryptographically secure hash function $H_0:{\left\{0,1\right\}}^n\to {\left\{0,1\right\}}^n$ is utilized. The public key $PK=\left({pk}_0,{pk}_1,{pk}_2,\dots ,{pk}_{t-1}\right)$ of the ${\mathrm{D}\mathrm{S}\mathrm{S}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}$ scheme is considered the result of r-fold hashing of $SK$, i.e., $PK=H_0^{\left(r\right)}\left(SK\right)$ or ${pk}_i$=$H_0^{\left(r\right)}\left({sk}_i\right)$, where $i=0,\dots ,t-1$. For the Syrga2 scheme, security parameters and other initial parameters are defined as follows: $n=256$, $t=256$ and $r=1024$. Consequently, the length of each ${sk}_i$ and ${pk}_i$ is 256 bits.

In the next step of key construction, a pair of secret and public keys for signing a specific message $M_q$ is defined, where $1\le q\le t$. It is noteworthy that the presented ${\mathrm{D}\mathrm{S}\mathrm{S}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}$ scheme using the composed key pair $\mathrm{K}\mathrm{G}:\left(SK;PK\right)$ allows for the one-time signing of $r$ messages. Figure 2 illustrates how the secret keys generated by PRG after the qth hashing iteration produce intermediate secret keys ${SK}_q=\left({sk}_0^{\left(q\right)},{sk}_1^{\left(q\right)},{sk}_2^{\left(q\right)},\dots ,{sk}_{t-1}^{\left(q\right)}\right)$, where $1\le q\le t$ (here, the index $\left(q\right)$ implies the order of hashing). Thus, the pairs $\mathrm{K}\mathrm{G}:\left({SK}_q;PK\right)$, formed with intermediate secret keys and common public keys, enable the signing of q messages. Since the intermediate keys ${SK}_q$ are used only once, the scheme ensures a high level of security.

Below is the pseudocode (Algorithm 1) for the key generation algorithm described above.

Algorithm 1: Key Generation of Syrga2 (KgSyrga2(PRG(initial parameters)))

System parameters: Parameters $t$, $r$ Output: Secret key $SK=\left({sk}_0,{sk}_1,{sk}_2,\dots ,{sk}_{t-1}\right)$ and public key $PK=\left({pk}_0,{pk}_1,{pk}_2,\dots ,{pk}_{t-1}\right)$ 1: for $i=0$ to $t-1$ do 2:    Compute ${sk}_i\stackrel{PRG\left({ip}_i\right)}{\leftarrow }{\left\{\mathrm{0,1}\right\}}^{256}$ 3:  ${{pk}_i\leftarrow sk}_i$ 4:    for $j=1$ to $1024$ do 5:     Compute ${pk}_i\stackrel{{\left\{0, 1\right\}}^{256}}{\leftarrow }{H}_0({pk}_i)$ 6: return $SK, PK$

4.3. Message Signing Algorithm

The ${\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}({SK}_q,M_q,\tau ,q)$ algorithm takes as input the intermediate secret key ${SK}_q$, the message to be signed $M_q\in \mathcal{M}$, where $\tau$ is the number of elements in the permutation table $P$, and the ordinal number $q\in \mathbb{N}$. The output is the signature $\sigma$ for the message $M_q$. The message signing process proceeds as follows. Let $M_q$ be a given message, where $q\in \left[1,r\right].$ Set $h_0=M_q$ and $ctr=0,ctr\in Z$. Depending on the desired security level, the parameter $\tau$ takes one of the following values: 32, 64, 128, 256.

(1)

Compute the hash value $h=H_1\left(h_0\right)$, $H_1:{\left\{0,1\right\}}^{256}\to {\left\{0,1\right\}}^{256}$.

(2)

Divide the hash value $h$ into 32 parts $h_1,h_2,\dots ,h_{32}$, each of length ${\log }_{2}256=8$ bits.

(3)

Interpret each $h_j$ as an integer $i_j\in \left[0,255\right]$, $j=1,\dots ,32.$

(4)

Form a set of integers $P=\left(p_0,p_1,p_2,\dots ,p_s\right)$ from non-repeating $p_j$, which are sequentially added to the end of the set $P$, where $j=1,\dots ,32$. Here, $p_j\ne p_k$ for $j,k=1,\dots ,32$, $j\ne k$.

(5)

If $s<\tau$, then, assuming $ctr=ctr+1$ and $h_0=h⨁ctr$, perform the actions listed in steps 1–5.

(6)

Generate a permutation table $P=\left(p_0,p_1,p_2,\dots ,p_{\tau -1}\right),p_j\ne p_k$, $j,k=0,\dots ,\tau -1$, $j\ne k$.

(7)

According to the permutation table $P$, compute ${\sigma }_j=H_0^{(r-q)}\left({sk}_{p_j}\right)$, $j=0,\dots ,\tau -1.$ Thus, $\sigma =\left({\sigma }_0,{\sigma }_2,\dots ,{\sigma }_{\tau -1}\right)$.

(8)

Form the signature $\Sigma =\left(M_q,q,\sigma ,\tau \right)$ and send $\Sigma$ to the recipient.

Figure 3 illustrates the signature formation process for a given message $M_q$ using ${sk}_{p_1}^{\left(q\right)},{sk}_{p_2}^{\left(q\right)},{sk}_{p_3}^{\left(q\right)},\dots ,{sk}_{p_{\tau }}^{\left(q\right)}$, selected from the intermediate secret key ${SK}_q=\left({sk}_0^{\left(q\right)},{sk}_1^{\left(q\right)},{sk}_2^{\left(q\right)},\dots ,{sk}_{t-1}^{\left(q\right)}\right)$.

Below is the pseudocode (Algorithm 2) for the message signing algorithm.

Algorithm 2: Message Signing of Syrga2 (SignSyrga2($SK,M_q,q$))

System parameters: Parameters $t$, $r$ Input: Secret key $SK$, $q$ and message $M_q$, $\tau$ Output: Signature $\Sigma =\left\{M_q,q,\sigma \right\}$ Install: $P=\varnothing$, $s=0$, $ctr=0$ 1:   Set $h_0\leftarrow M_q$ 2:   Compute $h\stackrel{{\left\{0, 1\right\}}^{256}}{\leftarrow }{H}_1\left(h_0\right)$ 3:   Split $h$: $h_1,h_2,\dots , h_{32}\stackrel{{\left\{0, 1\right\}}^8}{\leftarrow }h$ 4:   for $j=1$ to $32$ do 5:    Represent $h_j$ as Byte: $i_j\leftarrow {Convert.ToByte(h}_j)$ 6:   for $j=1$ to $32$ do 7:     if $i_j\notin P \mathbf{t}\mathbf{h}\mathbf{e}\mathbf{n} i_j set to end of P$, $s=s$++ 8:   if $s<\tau$ then $ctr=ctr+1, h_0=h⨁ctr$ goto 2: 9:   for $j=1$ to $\tau$ do 10:      ${\sigma }_j\leftarrow {sk}_{p_j}$ 11:     for $s=1$ to $r-q$ do 12:      ${\sigma }_j\stackrel{{\left\{0, 1\right\}}^{256}}{\leftarrow }{H}_1\left({\sigma }_j\right)$ 13:   $\sigma \leftarrow \left({\sigma }_1,{\sigma }_2,\dots , {\sigma }_{\tau }\right)$ 14:   return Signature $\Sigma$

4.4. Message Signature Verification Algorithm

The ${\mathrm{V}\mathrm{f}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}(PK,\Sigma )$ algorithm verifies the authenticity of the message signature $M_q$:$\forall \left(PK,{SK}_q\right)\leftarrow {\mathrm{K}\mathrm{g}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}\left(1^n\right),\forall \left(M_q\in \mathcal{M}\right):{\mathrm{V}\mathrm{f}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}\left(PK,{\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}\left(\Sigma \right),M_q\right)=1$. The algorithm assumes that the recipient has a set of public keys $PK$ and is aware of the hashing algorithm $H_1:{\left\{0,1\right\}}^{256}\to {\left\{0,1\right\}}^{256}$. The ${\mathrm{V}\mathrm{f}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}(PK,\Sigma )$ algorithm operates as follows:

(1)

Accept a signature $\Sigma =\left(M_q,q,\sigma ,\tau \right)$ and set the values $h_0=M_q$ and $ctr=0,ctr\in Z$.

(2)

Compute the hash value $h=H_1\left(h_0\right)$.

(3)

Divide the hash value $h$ into 32 parts $h_1,h_2,\dots ,h_{32}$, each of length ${\log }_{2}256=8$ bits.

(4)

Interpret each $h_j$ as an integer $i_j\in \left[0,255\right]$, $j=1,\dots ,32.$

(5)

Form a set of integers $P=\left(p_0,p_1,p_2,\dots ,p_s\right)$ from non-repeating $p_j$, which are sequentially added to the end of the set $P$, $j=1,\dots ,32$. Here, $p_j\ne p_k$, $j,k=1,\dots ,32$, $j\ne k$.

(6)

If $s<\tau$, then assuming $ctr=ctr+1$ and $h_0=h⨁ctr$, perform the actions listed in steps 2–6.

(7)

Generate a permutation table $P=\left(p_0,p_1,p_2,\dots ,p_{\tau -1}\right),p_j\ne p_k$, $j,k=0,\dots ,\tau -1$, $j\ne k$.

(8)

Compute ${\sigma }_j^{\prime }=H_0^{\left(q\right)}\left({\sigma }_j\right)$, $j=0,\dots ,\tau -1.$

(9)

Check the following condition: if for all ${\sigma }_j^{\prime }$ it holds true that ${\sigma }_j^{\prime }={pk}_{p_j}$, then assert that the signature is true; otherwise, it is not true, where $j=0,\dots ,\tau -1$.

Note: If in step (4) of the message signing algorithm and in step (5) of the message signature verification algorithm, after processing the data in the last cycle, $s\ge \tau$, then $p_{\tau }$ and subsequent values in the $P$ table are not considered.

Below is the pseudocode (Algorithm 3) for the signature verification algorithm described above.

Algorithm 3: Signature Verification of Syrga2 (VfSyrga2($PK,\Sigma$))

System parameters: Parameters $t$, $r$ Input: Public key $PK$ and signature $\Sigma =\left\{M_q,q,\sigma \right\}$ Output: “accept” or “reject” Install: $P=\varnothing$, $s=0$, $ctr=0$ 1:   Set $h_0\leftarrow M_q$ 2:   Compute $h\stackrel{{\left\{0, 1\right\}}^{256}}{\leftarrow }{H}_1\left(h_0\right)$ 3:   Split $h$: $h_1,h_2,\dots , h_{32}\stackrel{{\left\{0, 1\right\}}^8}{\leftarrow }h$ 4:   for $j=1$ to $32$ do 5:  Represent $h_j$ as Byte: $i_j\leftarrow {Convert.ToByte(h}_j)$ 6:   for $j=1$ to $32$ do 7:      if $i_j\notin P \mathbf{t}\mathbf{h}\mathbf{e}\mathbf{n} i_j set to end of P$, $s=s$++ 8:   if $s<\tau$ then $ctr=ctr+1,$ $h_0=h⨁ctr$ goto 2: 9:   for $j=1$ to $\tau$ do 10:    ${\sigma }_j^{\prime }\leftarrow {\sigma }_j$ 11:    for $l=1$ to $q$ do 12:     ${\sigma }_j^{\prime }\stackrel{{\left\{0, 1\right\}}^{256}}{\leftarrow }{H}_1\left({\sigma }_j^{\prime }\right)$ 13:   ${\sigma }^{\prime }\leftarrow \left({\sigma }_1^{\prime },{\sigma }_2^{\prime },\dots , {\sigma }_{\tau }^{\prime }\right)$. 14:   for $j=1$ to $\tau$ do 15:     if ${\sigma }_j^{\prime }\ne {pk}_{i_j}$ then 16:       return “reject” 17:   return “accept”

5. Discussion

5.1. Security Analysis of Syrga2

It is known that the signature ${\sigma }_1,{\sigma }_2,\dots ,{\sigma }_{\tau }$ is obtained from the hash values of the keys ${sk}_1,{sk}_2,\dots ,{sk}_t$. Since the Syrga2 scheme belongs to the class with state tracking (via the parameter q), the attacker cannot create a false signature. However, it is necessary to assess the security level of the Syrga2 scheme in case the user inadvertently reuses the parameter q multiple times. Let z denote the number of instances where the parameter q has been inadvertently reused, resulting in the attacker gaining knowledge of some key values.

Theorem 1.

Let ${\mathcal{F}}_n=\left\{f_k: {\left\{\mathrm{0,1}\right\}}^n\to {\left\{\mathrm{0,1}\right\}}^n| k\in \mathcal{K}\right\}$ be a family of one-way functions resistant to second preimage attacks and undetectable, and $H$ be a cryptographic hash function in the random oracle model. Then the insecurity of Syrga2 against UF-CMA attack is bounded by the probability:

$$Pr\left[{Sig}_{\mathcal{A},\Sigma }^{UF-CMA}\left(Syrga2\left(1^n,t,\tau \right)\right)\right]\le \mathit{max}\left\{\left(\begin{array}{c}t\\ \tau \end{array}\right)·\left(\begin{array}{c}\tau \\ z\end{array}\right)·\left(\begin{array}{c}t-\tau \\ \tau -z\end{array}\right), q·max\left\{\mathit{Pr}\left[{Sig}_{\mathcal{A},\Sigma }^{OW}\left(n\right)=1\right],\mathit{Pr}\left[{Sig}_{\mathcal{A},\Sigma }^{SPR}\left(n\right)=1\right]\right\}\right\}$$

(6)

Proof of Theorem 1.

The proof follows a similar approach to that of Theorem 1 presented in [16,22]. Therefore, a full proof is not provided here; instead, only the proof idea is outlined. The proof relies on contradiction, assuming that the adversary $\mathcal{A}$ can forge a signature for $Syrga2\left(1^n,t,\tau \right)$, by mounting an attack based on a selected plaintext with success probability:

$$e_{\mathcal{A}}=\mathrm{P}\mathrm{r}\left[{\mathrm{S}\mathrm{i}\mathrm{g}}_{\mathcal{A},\Sigma }^{UF-CMA}\left(\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2\left(1^n,t,\tau \right)\right)\right].$$

(7)

 □

The next step involves constructing an oracle machine ${\mathcal{M}}^{\mathcal{A}}$, which breaks OW or SPR, using the adversary $\mathcal{A}$’s algorithm. The pseudocode description of the oracle machine ${\mathcal{M}}^{\mathcal{A}}$ is provided in Algorithm 4.

Nobody claims that a random oracle exists, although there have been conjectures that a random oracle could be implemented in practice using a trusted party. Rather, the random oracle model provides a formal methodology that can be used for the development and verification of cryptographic schemes using the following two-stage approach:

−

First, a scheme is developed and its security is proven in the random oracle model. That is, we assume that there exists a random oracle in the world, and we build and analyze the cryptographic scheme within this model. Standard cryptographic assumptions that we have seen so far can also be used in proving security.

−

When we want to implement the scheme in the real world, the random oracle is unavailable. Instead, the random oracle is created using an appropriately designed cryptographic hash function $\widehat{H}$. That is, at each point where the scheme dictates that a party should request the value of H(x), from the oracle, the party instead computes $\widehat{H}\left(x\right)$ itself.

Algorithm 4: ${\mathcal{M}}^{\mathcal{A}}$

Input: Security parameter n, $q$, ${\tau ,M}_q$, one-way challenge $y_c$ and second preimage resistance challenge $x_c$ Output: A value x that is either a preimage $y_c$ or a second preimage of $x_c$ under $H_1$ or “Fail” 1:  Generate Syrga2 key pair: $\left(SK,PK\right)=$ KgSyrga2() 2:  Choose $\alpha \stackrel{\mathrm{\$}}{\leftarrow }\left\{1,\dots ,\tau \right\}$ and $\beta \stackrel{\mathrm{\$}}{\leftarrow }\left\{1,\dots ,q\right\}$ uniformly at random 3:  Choose $\gamma \stackrel{\mathrm{\$}}{\leftarrow }\left\{\beta +1,\dots ,q-1\right\}$ uniformly at random 4:  Obtain $PK\prime$ by setting ${PK}_i^{\prime }=H_1^{(q-i)}\left({SK}^{\left(0\right)}\right)$ for all $i\in \left[1,\tau \right]$, $i\ne \alpha$ and ${PK}_{\alpha }^{\prime }=H_1^{(q-\beta )}\left(y_c\right)$ 5:  Run ${\mathcal{A}}^{Sign(SK,·)}\left({PK}^{\prime }\right)$ 6:  if ${\mathcal{A}}^{Sign(SK,·)}\left({PK}^{\prime }\right)$ queries Sign with $M_q$ then (6a) Generate $P=\left(p_0,p_1,p_2,\dots ,p_{\tau -1}\right),p_j\ne p_k$, $j,k=0,\dots ,\tau -1$, $j\ne k$. (6b) if $p_{\alpha }<\beta$ then return “Fail” (6c) Generate signature $\sigma$ of M:    (6c.1) Compute: $\sigma =\left({\sigma }_1,{\sigma }_2,\dots ,{\sigma }_{\tau }\right)\leftarrow$ (SignSyrga2($\mathrm{S}\mathrm{K},{\mathrm{M}}_{\mathrm{q}},\mathrm{q}$))    (6c.2) Set ${\sigma }_{\alpha }=H_1^{\left(p_{\alpha }-\beta \right)}\left(y_c\right)$ (6d) Reply to query using $\sigma$ 7:  if ${\mathcal{A}}^{Sign(SK,·)}\left(PK\right)$ returns valid $\left({\sigma }^{\prime },M_q^{\prime }\right)$ then (7a) Generate $P^{\prime }=\left(p_0^{\prime },p_1^{\prime },p_2^{\prime }\dots p_{\tau -1}^{\prime }\right),p_j^{\prime }\ne p_k^{\prime }$, $j,k=0,\dots ,\tau -1$, $j\ne k$. (7b) if $p_{\propto }^{\prime }\ge \beta$ then return “Fail” (7c) if $\beta =q-1$   (c.1) return preimage $H_1^{\left(q-1-p_{\propto }^{\prime }-1\right)}\left({\sigma }_{\alpha }^{\prime }\right)$ (7d) else   (7d.1) if $H_1^{\left(\beta -p_{\propto }^{\prime }\right)}\left({\sigma }_{\alpha }^{\prime }\right)=y_c$ then       return preimage $H_1^{\left(\beta -p_{\propto }^{\prime }-1\right)}\left({\sigma }_{\alpha }^{\prime }\right)$   (7d.2) else if ${x^{\prime }=H}_1^{\left(\gamma -p_{\propto }^{\prime }-1\right)}\left({\sigma }_{\alpha }^{\prime }\right)\ne x_c$ and $H_1^{\left(\gamma -p_{\propto }^{\prime }\right)}\left({\sigma }_{\alpha }^{\prime }\right)=H_1^{\left(\gamma -\beta \right)}\left(y_c\right)$               then return the second preimage $x^{\prime }$ 8:  In any other case return “Fail”

The idea of Algorithm 4 is as follows. First, a key pair $\left(SK,PK\right)$ of the Syrga2 scheme is generated, and then challenges are introduced for one-wayness (OW) at position β and for second preimage resistance (SPR) at position γ based on index α, resulting in the computation of ${PK}^{\prime }$. Subsequently, the modified public key ${PK}^{\prime }$ is forwarded to $\mathcal{A}$. The adversary can request the signature of a message M. If the computed value $p_{\propto }^{\prime }$ during the evaluation of M satisfies the condition $p_{\propto }^{\prime }<\beta$, then signature generation is unsuccessful, and the algorithm terminates. Otherwise, using the modified public key ${PK}^{\prime }$, a signature σ is computed and passed to $\mathcal{A}$. Consequently, a forged pair ($M^{\prime },{\sigma }^{\prime })$. is created. If this forged signature ${\sigma }^{\prime }$ is valid for signing $M^{\prime }$, it confirms the existence of a solution to one of the issues related to ${\sigma }^{\prime }$. Otherwise, ${\mathcal{M}}^{\mathcal{A}}$ returns “Fail”, indicating the failure to find a preimage and collision.

Using the assumptions of one-wayness and second preimage resistance of ${\mathcal{F}}_n$, it is possible to estimate the success probability of $\mathcal{A}$, when $M^{\mathcal{A}}$ is invoked:

$$e_{\mathcal{A}}^{\mathrm{\prime }}\le \mathit{max}\left\{1/\left[\left(\begin{array}{c}t\\ \tau \end{array}\right)·\left(\begin{array}{c}\tau \\ z\end{array}\right)·\left(\begin{array}{c}t-\tau \\ \tau -z\end{array}\right)\right],q·max\left\{\mathrm{Pr}\left[{\mathrm{S}\mathrm{i}\mathrm{g}}_{\mathcal{A},\Sigma }^{OW}\left(n\right)=1\right],\mathrm{Pr}\left[{\mathrm{S}\mathrm{i}\mathrm{g}}_{\mathcal{A},\Sigma }^{SPR}\left(n\right)=1\right]\right\}\right\}.$$

(8)

5.2. Security Level and Performance Evaluation of the Scheme

Since no cryptographic system is immune to all attacks, it is proposed to assess its security level. This is a challenging task, and one common subjective approach for such assessment is using the concept of “bit security”—b. The assessment of security bits takes into account all known general attacks on the mathematical problem and cryptographic scheme [23]. Bit security bridges asymptotic and concrete modes of evaluating the security of cryptographic schemes. Whereas the asymptotic approach does not provide any guidance on concrete parameter selection, bit security helps us choose an appropriate set of parameters to guarantee a certain level of security when deploying cryptographic schemes [24]. The objectivity of assessing the security level of a scheme largely depends on the fundamental building blocks and primitives of the scheme itself. It is considered that a cryptographic system has a security level of b if it can be expected that approximately $\mathcal{O}\left(2^b\right)$ operations will be required for a successful attack on it [25].

Given Theorem 1, it is possible to compute the security level of Syrga2. This allows for comparing its security with that of other post-quantum digital signature schemes.

$$Pr\left[{Sig}_{\mathcal{A},\Sigma }^{UF-CMA}\left(Syrga2\left(1^n,t,\tau \right)\right)\right]\le 1/\left[\left(\begin{array}{c}t\\ \tau \end{array}\right)·\left(\begin{array}{c}\tau \\ z\end{array}\right)·\left(\begin{array}{c}t-\tau \\ \tau -z\end{array}\right)\right]$$

(9)

So, for a security level of b, we obtain:

$$b\ge log\left[\left(\begin{array}{c}t\\ \tau \end{array}\right)·\left(\begin{array}{c}\tau \\ z\end{array}\right)·\left(\begin{array}{c}t-\tau \\ \tau -z\end{array}\right)\right]=log\frac{t!}{z!{\left[\left(\tau -z\right)!\right]}^2\left(t+z-2\tau \right)!}$$

(10)

Table 1. Security level of some post-quantum signature schemes.

Schemes	Formulas	Parameters	Security Level, b
Syrga1	$b=k\left(\log \left(t/k\right)\right)$	$k=32,t=256$	96
Syrga2	$b=log\frac{t!}{z!{\left[\left(\tau -z\right)!\right]}^2\left(t+z-2\tau \right)!}$	$\tau =32$	135
		$\tau =64$	203
		$\tau =96$	240
		$\tau =128$	251
HORS	$b=k\left(\log \left(t/kr\right)\right)$	$k=16,t=2^{10},r=1$	96
W-OTS+	$b=n-\log \left(w^{2}l+w\right)$, here $l=l_1+l_2, l_1=⌈\raisebox{1ex}{$m$}\!\left/ \!\raisebox{-1ex}{$\mathit{log}w$}\right.⌉$, $l_2=⌊\frac{\mathit{log}\left(l_1\left(w-1\right)\right)}{\mathit{log}w}⌋+1$	$n=128,w=21,$ $m=256$	113
HORSIC+	$b\ge log\frac{t^k\left(z-1\right)!}{k!\left(k-1\right)!\left(z-k\right)!}$.	$n=256, t=2^{16}, k=26,$ $z=35, w=10$	353

displays the security level of Syrga2 for different values of the parameter $\tau$ alongside other post-quantum signature schemes, and includes the calculation formula. Figure 4 showcases the security level of Syrga2 for various $\tau$ options.

In Figure 4, the dynamics of the security level b are illustrated as a function of the parameter z. It has been experimentally determined that as $z$ increases, in all considered instances of $\tau$ ($\tau =32,64,96,128$), the security of the scheme decreases.

The number of keys that became known to the adversary due to the reuse of the parameter q is denoted as z. However, it is worth noting that even with the maximum value of z, when $z=\tau$, the scheme still provides the required level of security.

Table A1. Security level of Syrga2.

t	z	τ = 32	τ = 64	τ = 96	τ = 128
256	16	244.4584	404.2143	455.2656	384.3512
256	20	227.5899	402.9182	463.3294	404.9993
256	24	205.7229	399.2947	469.3831	422.9558
256	28	177.159	393.4319	473.5926	438.5779
256	32	135.4192	385.3417	476.0656	452.1154
256	36		374.9718	476.8711	463.7504
256	40		362.2028	476.0496	473.6189
256	44		346.8333	473.6186	481.8238
256	48		328.5446	469.5752	488.4434
256	52		306.8236	463.8971	493.5364
256	56		280.7777	456.542	497.1454
256	60		248.5537	447.4447	499.2995
256	64		203.5669	436.5129	500.0157
256	68			423.6193	499.2995
256	72			408.5893	497.1454
256	76			391.179	493.5364
256	80			371.0365	488.4434
256	84			347.6222	481.8238
256	88			320.0224	473.6189
256	92			286.3662	463.7504
256	96			240.0544	452.1154
256	100				438.5779
256	104				422.9558
256	108				404.9993
256	112				384.3512
256	116				360.4675
256	120				332.4305
256	124				298.3664
256	128				251.6728

in Appendix A presents the input parameters, including the parameter $z$, which ranges from 16 to 32 with a step of 4, along with their corresponding security level values. The parameter $z$ characterizes the number of compromised secret keys when the same $q$ is reused erroneously. The value of the parameter $q$ cannot exceed the value of the parameter $\tau$, i.e., the number of intermediate secret keys selected for signing the message $\tau$, i.e., the number of intermediate secret keys selected for signing the message M.

5.3. Performance Evaluation of Syrga2

In this subsection, the efficiency of Syrga2 is analyzed using the HBC-256 and HAS01 hash functions developed at the IICT [26,27,28]. Software was implemented in the C++ programming language using the Microsoft Visual Studio integrated development environment for an objective performance evaluation. The characteristics of the PC used for the study are as follows: operating system—Windows 10 Pro (version 22H2), system type—64-bit operating system, processor—Intel(R) Core(TM) i5-7500T CPU @ 2.70 GHz, RAM—8.00 GB.

The results of the program’s operation with various input parameters are presented in

Table 2. Time to obtain a signature for $q=1$ and $\tau =$ {$32, 64, 96, 128\}$.

Components of Syrga2	$\mathit{\tau }$, Milliseconds
	32	64	96	128
Key generation algorithm, ${\mathbf{K}\mathbf{g}}_{\mathbf{S}\mathbf{y}\mathbf{r}\mathbf{g}\mathbf{a}\mathbf{2}}\left(\right)$	4755	4755	4755	4755
Formation of the P-box, $\mathit{P}=\left({\mathit{p}}_{\mathbf{0}},{\mathit{p}}_{\mathbf{1}},{\mathit{p}}_{\mathbf{2}},\dots ,{\mathit{p}}_{\mathit{\tau }-\mathbf{1}}\right)$	˂0.01	˂0.01	˂0.01	˂0.01
Signing algorithm, ${\mathbf{S}\mathbf{i}\mathbf{g}\mathbf{n}}_{\mathbf{S}\mathbf{y}\mathbf{r}\mathbf{g}\mathbf{a}\mathbf{2}}\left(\right)$	623	1216	1770	2350
Signature verification algorithm, ${\mathbf{V}\mathbf{f}}_{\mathbf{S}\mathbf{y}\mathbf{r}\mathbf{g}\mathbf{a}\mathbf{2}}\left(\right)$	0.01	0.01	0.02	0.01

and

Table 3. Time to obtain a signature for $q=512$ and $\tau =$ {$32,64,96,128\}$.

Components of Syrga2	$\mathit{\tau }$, Milliseconds
	32	64	96	128
Key generation algorithm, ${\mathbf{K}\mathbf{g}}_{\mathbf{S}\mathbf{y}\mathbf{r}\mathbf{g}\mathbf{a}\mathbf{2}}\left(\right)$	4755	4755	4755	4755
Formation of the P-box, $\mathit{P}=\left({\mathit{p}}_{\mathbf{0}},{\mathit{p}}_{\mathbf{1}},{\mathit{p}}_{\mathbf{2}},\dots ,{\mathit{p}}_{\mathit{\tau }-\mathbf{1}}\right)$	˂0.01	˂0.01	˂0.01	˂0.01
Signing algorithm, ${\mathbf{S}\mathbf{i}\mathbf{g}\mathbf{n}}_{\mathbf{S}\mathbf{y}\mathbf{r}\mathbf{g}\mathbf{a}\mathbf{2}}\left(\right)$	301	627	893	1177
Signature verification algorithm, ${\mathbf{V}\mathbf{f}}_{\mathbf{S}\mathbf{y}\mathbf{r}\mathbf{g}\mathbf{a}\mathbf{2}}\left(\right)$	310	609	930	1203

. The size of the original file for signing is 30 bytes. The file was chosen to be small because the main goal of the research was to test the operation of the post-quantum algorithm for signature generation and verification. It is important to note the generation of the P-box separately. The P-box is dynamically generated in the program based on the hash values of the message M. Using the obtained values of the P-box and the private keys, a signature is formed.

Analysis of the values obtained in Table 2 and Table 3 shows that the execution time of the ${\mathrm{K}\mathrm{g}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}\left(\right)$ algorithm remains the same for different values of the parameter $\tau$, as it does not affect the key generation process. The formation of the permutation table P-box actually takes very little time, which is reflected in the tables using the comparison sign “<”. It is also worth noting that the total execution times of the ${\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}()$ and ${\mathrm{V}\mathrm{f}}_{\mathrm{S}\mathrm{y}\mathrm{r}\mathrm{g}\mathrm{a}2}()$ algorithms in Table 2 and Table 3 are approximately the same. For example, when $\tau =128$, the total time is 2350 + 0.01 = 2350.01 ms in Table 2 and 1177 + 1203 = 2380 ms in Table 3. Thus, it can be concluded that the overall execution time of the entire hashing process is practically independent of the value of q from which the hashing continues.

Table 4. A comparative summary of the hash-based signature scheme.

Scheme	Timings (ms)			Sizes (KB)
	Key Generation	Signing	Verification	Key Size	Signature Size
SYRGA1 [21] SYRGA2	4982 4755	632 1177	1296 1203	8 8	1.033 1.033
HORS [4]	17	100	1449	3.1 MB	1.2
SPHINCS-256 [4]	12.6	236	2730	1	41.0
XMSS (SHA2-256) [4] XMSS+ [4]	4540 5600	4480 106	2690 25	4.7 3.67	0.03 3.4

presents a comparative analysis of the SYRGA2 scheme with other algorithms in terms of performance, key length, and signature length. For SYRGA2, parameters that showed the longest time were selected, i.e., $q$ = 512 and τ = 128.

As seen in Table 4, the most time-consuming part of the SYRGA2 algorithm is key generation, which takes about 5 s, while the other procedures collectively take about one second. Although this is slower than some of the algorithms listed in Table 4, it should be noted that the 5 s spent (to obtain a single public key) allows for the creation of a secure signature for at least 1024 messages.

If we compare SYRGA2 with SPHINCS-256 and HORS, they show better results in time parameters, but the key size is larger than that of SYRGA2. XMSS (SHA2-256), when compared with the proposed scheme, shows worse results in time parameters, but the key size is smaller than that of SYRGA2. All this depends on the individual structure of the considered schemes, the cryptographic parameters used in it, the performed optimization operations, as well as the computing resources of the computer.

One of the most promising directions in post-quantum cryptography is cryptographic systems for digital signatures based on hash functions. The resilience of hash functions is less affected by the advent of quantum computers. For example, the complexity of solving the hash function collision search problem remains within safe limits today even when the length of the hash function value is increased by one and a half times.

The proposed post-quantum digital signature scheme Syrga2 includes the HBC-256 hashing algorithm developed by the same authors. The security of Syrga2 is based on the resilience of HBC-256, where it manipulates the parameter k—the number of parts from 3 to 8 of the data to be hashed and an additional function ComF, which determines the length of the hash value. The maximum length of the hash value in HBC-256 can reach 1024 bits. Therefore, to find a collision in hash values of length 1024 bits using the “Birthday Paradox” method with a probability of 0.5, $0.83·2^{512}$ messages would be required, which is not feasible for existing quantum computers.

6. Future Work

At this stage of the research, the main focus was on the development of a new digital signature scheme and ensuring its security. Therefore, special attention was given to verifying the correct functioning of the developed scheme with the capability for step-by-step monitoring of this process. Future work will involve selecting the optimal value of the parameter q, which significantly impacts the efficiency and performance of the scheme. Emphasis will be placed on optimizing the software code using cryptographic libraries. Performance evaluation will be carried out using the universal metric “cycles per byte” (CPB), which is applicable to cryptographic schemes. Furthermore, hardware implementation of the scheme is planned for the future. All these efforts require a significant amount of work for the practical application of the developed scheme. The results obtained will be reflected in the authors’ articles, which are planned to be published shortly.

7. Conclusions

Post-quantum cryptography is currently in the phase of active research and standardization and is already beginning to be implemented in real applications, even though many algorithms have not yet undergone standardization and testing procedures. Therefore, the scale of implementation of the proposed scheme will be determined based on its reliability in practice.

The main feature of the proposed Syrga2 scheme is that a single key pair $\left\{SK,PK\right\}$ can be used to sign multiple messages. The potential number of messages is determined by the parameter $q$, while the security level of the scheme remains unaffected. Since the proposed scheme is stateful, it is important to control this parameter. The article demonstrates how erroneously reusing the value of $q$ affects the security level. In the Syrga2 scheme, the size of the signature is determined by the parameter τ and takes values of 32, 64, 96, and 128. As shown in Table 3, if signing speed is important to users, it is preferable to choose smaller values of τ, whereas if security is more important, larger values of $\tau$ should be chosen. The algorithms for hashing HAS01 and HBC-256, developed at IICT, were used in calculating the signature generation speed and all other measurements. The reliability of these hashing algorithms is presented in other works by the authors.