Skip to main content
Log in

Challenges of post-quantum digital signing in real-world applications: a survey

  • Survey
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Public key cryptography is threatened by the advent of quantum computers. Using Shor’s algorithm on a large-enough quantum computer, an attacker can cryptanalyze any RSA/ECC public key and generate fake digital signatures in seconds. If this vulnerability is left unaddressed, digital communications and electronic transactions can potentially be without the assurance of authenticity and non-repudiation. In this paper, we study the use of digital signatures in 14 real-world applications across the financial, critical infrastructure, Internet, and enterprise sectors. Besides understanding the digital signing usage, we compare the applications’ signing requirements against all six NIST’s Post-Quantum Cryptography Standardization round 3 candidate algorithms. This is done through a proposed framework where we map out the suitability of each algorithm against the applications’ requirements in a feasibility matrix. Using the matrix, we identify improvements needed for all 14 applications to have a feasible post-quantum secure replacement digital signing algorithm.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. Elliptic curve cryptography (ECC) [56] is commonly used as the underlying cryptosystem for DSA. For purposes of this paper, we will use elliptic curve digital signature algorithm (ECDSA) to represent all DSA signature implementations using ECC.

  2. This refers to advanced electronic signatures and is not to be confused with the symmetric key encryption standard, advanced encryption standard.

  3. We note that the estimated KeyGen execution times did not materially influence the eventual result.

References

  1. Adobe: Adobe DC Digital Signatures Guide - Supported Standards. Online: https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/standards.html [accessed: April 2021] (2018)

  2. Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, pp. 99–108. ACM (1996)

  3. Akkar, M.L., Courtois, N.T., Duteuil, R., Goubin, L.: A fast and secure implementation of sflash. In: International Workshop on Public Key Cryptography, pp. 267–278. Springer (2003)

  4. Alagic, G., Alagic, G., Alperin-Sheriff, J., Apon, D., Cooper, D., Dang, Q., Liu, Y.K., Miller, C., Moody, D., Peralta, R., et al.: Status report on the first round of the NIST post-quantum cryptography standardization process. US Department of Commerce, National Institute of Standards and Technology (2019)

  5. Albrecht, M.R., Hanser, C., Hoeller, A., Pöppelmann, T., Virdia, F., Wallner, A.: Implementing rlwe-based schemes using an rsa co-processor. IACR Transactions on Cryptographic Hardware and Embedded Systems pp. 169–208 (2019)

  6. Augot, D., Batina, L., Bernstein, D.J., Bos, J., Buchmann, J., Castryck, W., Dunkelman, O., Güuneysu, T., Gueron, S., Hülsing, A., Lange, T., Mohamed, M.S.E., Rechberger, C., Schwabe, P., Sendrier, N., Vercauteren, F., Yang, B.Y.: Initial recommendations of long-term secure post-quantum systems. Online: http://pqcrypto.eu.org/docs/initial-recommendations.pdf [accessed: April 2021] (2015)

  7. Aumasson, J.P., Bernstein, D.J., Dobraunig, C., Eichlseder, M., Fluhrer, S., Gazdag, S.L., Hülsing, A., Kampanakis, P., Kölbl, S., Lange, T., Lauridsen, M.M., Mendel, F., Niederhagen, R., Rechberger, C., Rijneveld, J., Schwabe, P.: SPHINCS\(^+\) Submission to the NIST post-quantum project. Online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-2/submissions/SPHINCS-Round2.zip [accessed: April 2021] (2019)

  8. Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Cryptographers’ Track at the RSA Conference, pp. 28–47. Springer (2014)

  9. Banerjee, U., Ukyab, T.S., Chandrakasan, A.P.: Sapphire: A configurable crypto-processor for post-quantum lattice-based protocols. arXiv preprint arXiv:1910.07557 (2019)

  10. Barker, E.: SP 800-57 part 1 rev. 5 Recommendation for key management part 1: General. NIST special publication 800, 57 (2020)

  11. Barker, W., Polk, W., Souppaya, M.: Getting ready for post-quantum cryptography: Explore challenges associated with adoption and use of post-quantum cryptographic algorithms. NIST Cybersecurity White Paper (2021)

  12. Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997)

    Article  MathSciNet  Google Scholar 

  13. Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., Wilcox-O’Hearn, Z.: SPHINCS: practical stateless hash-based signatures. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 368–397. Springer (2015)

  14. Boorghany, A., Sarmadi, S.B., Jalili, R.: On constrained implementation of lattice-based cryptographic primitives and schemes on smart cards. ACM Trans. Embed. Comput. Syst. (TECS) 14(3), 1–25 (2015)

    Article  Google Scholar 

  15. Buchmann, J., Dahmen, E., Hülsing, A.: XMSS-a practical forward secure signature scheme based on minimal security assumptions. In: International Workshop on Post-Quantum Cryptography, pp. 117–129. Springer (2011)

  16. Casanova, A., Faugere, J.C., Macario-Rat, G., Patarin, J., Perret, L., Ryckeghem, J.: Gemss: A great multivariate short signature. Online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-2/submissions/GeMSS-Round2.zip [accessed: April 2021] (2019)

  17. Chalkias, K., Brown, J., Hearn, M., Lillehagen, T., Nitto, I., Schroeter, T.: Blockchained post-quantum signatures. In: 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 1196–1203. IEEE (2018)

  18. Chase, M., Derler, D., Goldfeder, S., Katz, J., Kolesnikov, V., Orlandi, C., Ramacher, S., Rechberger, C., Slamanig, D., Wang, X., Zaverucha, G.: The picnic digital signature algorithm: Update for round 2 (2019)

  19. Chase, M., Derler, D., Goldfeder, S., Orlandi, C., Ramacher, S., Rechberger, C., Slamanig, D., Zaverucha, G.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1825–1842. ACM (2017)

  20. Chen, L., Chen, L., Jordan, S., Liu, Y.K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: NISTIR 8105: Report on post-quantum cryptography. US Department of Commerce, National Institute of Standards and Technology (2016)

  21. Cooper, D.A., Apon, D.C., Dang, Q.H., Davidson, M.S., Dworkin, M.J., Miller, C.A.: Recommendation for stateful hash-based signature schemes. NIST Spec Publ 800, 208 (2020)

    Google Scholar 

  22. Courtois, N., Goubin, L., Meier, W., Tacier, J.D.: Solving underdefined systems of multivariate quadratic equations. In: International Workshop on Public Key Cryptography, pp. 211–227. Springer (2002)

  23. Dang, V.B., Farahmand, F., Andrzejczak, M., Mohajerani, K., Nguyen, D.T., Gaj, K.: Implementation and benchmarking of round 2 candidates in the nist post-quantum cryptography standardization process using hardware and software/hardware co-design approaches. Cryptology ePrint Archive: Report 2020/795 (2020)

  24. Ding, J., Chen, M.S., Petzoldt, A., Schmidt, D., Yang, B.Y.: Rainbow-algorithm specification and documentation: The 2nd round proposal. Online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-2/submissions/Rainbow-Round2.zip [accessed: April 2021] (2019)

  25. Dubois, V., Fouque, P.A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Annual International Cryptology Conference, pp. 1–12. Springer (2007)

  26. Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALS–Dilithium: Algorithm Specification and Supporting Documentation. Round-2 submission to the NIST PQC project (2019)

  27. EEMBC: CoreMark: An EEMBC Benchark. Online: https://www.eembc.org/coremark/scores.php [accessed: April 2021] (2020)

  28. EMVCo: EMV Integrated Circuit Card Specifications for Payment Systems Book 2 Security and Key Management Version 4.3 (2011)

  29. ETSI: ETSI TS 102 778-1 V1.1.1 Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic Signature Profiles; Part 1: PAdES Overview - a framework document for PAdES. Online: https://www.etsi.org/deliver/etsi_ts/102700_102799/10277801/01.01.01_60/ts_10277801v010101p.pdf [accessed: April 2021] (2009)

  30. ETSI: Quantum Safe Cryptography; Case Studies and Deployment Scenarios ETSI GR QSC 003 V1.1.1. Online: https://www.etsi.org/deliver/etsi_gr/QSC/001_099/00301.01.01_60/gr_QSC003v010101p.pdf [accessed: April 2021] (2017)

  31. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Conference on the Theory and Application of Cryptographic Techniques, pp. 186–194. Springer (1986)

  32. FIPS, P.: 186-4: Federal information processing standards publication. Digital Signature Standard (DSS). Information Technology Laboratory, National Institute of Standards and Technology (NIST), Gaithersburg, MD (2013)

  33. Fouque, P.A., Hoffstein, J., Kirchner, P., Lyubashevsky, V., Pornin, T., Prest, T., Ricosset, T., Seiler, G., Whyte, W., Zhang, Z.: Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU Specifications v1.1. Online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-2/submissions/Falcon-Round2.zip [accessed: April 2021] (2019) endthebibliography

  34. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the fortieth annual ACM symposium on Theory of computing, pp. 197–206. ACM (2008)

  35. Giacomelli, I., Madsen, J., Orlandi, C.: Zkboo: Faster zero-knowledge for boolean circuits. In: 25th {USENIX} Security Symposium ({USENIX} Security 16), pp. 1069–1083 (2016)

  36. Goldreich, O.: Foundations of Cryptography: Basic Applications. Cambridge University Press, Cambridge (2009)

    MATH  Google Scholar 

  37. Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Annual International Cryptology Conference, pp. 112–131. Springer (1997)

  38. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)

    Article  MathSciNet  Google Scholar 

  39. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    Article  MathSciNet  Google Scholar 

  40. Grover, L.K.: Quantum mechanics helps in searching for a needle in a haystack. Phys. Rev. Lett. 79(2), 325 (1997)

    Article  Google Scholar 

  41. GSMA: eSIM whitepaper: The what and how of remote sim provisioning. Online: https://www.gsma.com/esim/wp-content/uploads/2018/06/eSIM-Whitepaper-v4.11.pdf [accessed: April 2021] (2018)

  42. Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: A signature scheme for embedded systems. In: International Workshop on Cryptographic Hardware and Embedded Systems, pp. 530–547. Springer (2012)

  43. Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series, consensus system. arXiv preprint arXiv:1805.04548 (2018)

  44. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: International Algorithmic Number Theory Symposium, pp. 267–288. Springer (1998)

  45. Hülsing, A.: W-OTS+–shorter signatures for hash-based signature schemes. In: International Conference on Cryptology in Africa, pp. 173–188. Springer (2013)

  46. Hülsing, A., Butin, D., Gazdag, S., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle signature scheme. Online: https://tools.ietf.org/html/rfc8391 [accessed: April 2021] (2018)

  47. Hülsing, A., Rijneveld, J., Schwabe, P.: Armed sphincs. In: Public-Key Cryptography–PKC 2016, pp. 446–470. Springer (2016)

  48. ICAO: Doc 9303: Machine Readable Travel Documents. Online: https://www.icao.int/publications/pages/publication.aspx?docnum=9303 [accessed: April 2021] (2015)

  49. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Proceedings of the thirty-ninth annual ACM symposium on Theory of computing, pp. 21–30. ACM (2007)

  50. ISO: ISO 32000-1:2008 Document management - Portable document format - Part 1: PDF 1.7. Online: https://www.iso.org/standard/51502.html [accessed: April 2021] (2013)

  51. ISO: ISO/IEC 7816-4:2013 identification cards - integrated circuit cards - part 4: Organization, security and commands for interchange. Online: https://www.iso.org/standard/54550.html [accessed: April 2021] (2013)

  52. ITU-T, X.: Information technology–Open systems interconnection–The directory: public-key and attribute certificate frameworks. Online: https://www.itu.int/rec/T-REC-X.509-201910-I/en [accessed: April 2021] (2019)

  53. J., B.D.: ebacs: Ecrypt benchmarking of cryptographic systems. Online: https://bench.cr.yp.to/primitives-sign.html [accessed: April 2021] (2019)

  54. Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: A provably secure proof-of-stake blockchain protocol. In: Annual International Cryptology Conference, pp. 357–388. Springer (2017)

  55. Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 206–222. Springer (1999)

  56. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)

    Article  MathSciNet  Google Scholar 

  57. Lamport, L.: Constructing digital signatures from a one-way function. Tech. rep., Technical Report CSL-98, SRI International Palo Alto (1979)

  58. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)

    Article  Google Scholar 

  59. Lee, C.C., Tan, T.G., Sharma, V., Zhou, J.: Quantum computing threat modelling on a generic cps setup. In: International Conference on Applied Cryptography and Network Security, pp. 171–190. Springer (2021)

  60. Leighton, F.T., Micali, S.: Large provably fast and secure digital signature schemes based on secure hash functions (1995). US Patent 5,432,852

  61. Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 598–616. Springer (2009)

  62. Machani, S., Philpott, R., Srinivas, S., Kemp, J., Hodges, J.: FIDO UAF architectural overview. Online: https://fidoalliance.org/specs/fido-uaf-v1.1-ps-20170202/fido-uaf-overview-v1.1-ps-20170202.pdf [accessed: April 2021] (2017)

  63. Manulis, M., Bridges, C.P., Harrison, R., Sekar, V., Davis, A.: Cyber security in new space. Int. J. Inf. Secur. 20(3), 287–311 (2021)

    Article  Google Scholar 

  64. Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Workshop on the Theory and Application of Cryptographic Techniques, pp. 419–453. Springer (1988)

  65. McEliece, R.J.: A public-key cryptosystem based on algebraic. Coding Thv 4244, 114–116 (1978)

    Google Scholar 

  66. Merkle, R.C.: A certified digital signature. In: Conference on the Theory and Application of Cryptology, pp. 218–238. Springer (1989)

  67. Miller, R.B.: Response time in man-computer conversational transactions. In: Proceedings of the December 9-11, 1968, fall joint computer conference, part I, pp. 267–277 (1968)

  68. Moody, D.: The 2nd round of the nist pqc standardization process. Online: https://csrc.nist.gov/CSRC/media/Presentations/the-2nd-round-of-the-nist-pqc-standardization-proc/images-media/moody-opening-remarks.pdf [accessed: April 2021] (2019)

  69. Moody, D.: NIST PQC Standardization Update - Round 2 and Beyond. Online: https://csrc.nist.gov/CSRC/media/Presentations/pqc-update-round-2-and-beyond/images-media/pqcrypto-sept2020-moody.pdf [accessed: April 2021] (2020)

  70. multiple: Post-quantum crypto library for the arm cortex-m4. Online: https://github.com/mupq/pqm4 [accessed: April 2021] (2020)

  71. Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system. Online: https://bitcoin.org/bitcoin.pdf [accessed: April 2021] (2008)

  72. NIST: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. Online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf [accessed: April 2021] (2016)

  73. Oder, T., Pöppelmann, T., Güneysu, T.: Beyond ecdsa and rsa: lattice-based digital signatures on constrained devices. In: 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6. IEEE (2014)

  74. Patarin, J.: Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt’88. In: Annual International Cryptology Conference, pp. 248–261. Springer (1995)

  75. Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 33–48. Springer (1996)

  76. Patarin, J.: The oil and vinegar signature scheme. In: Dagstuhl Workshop on Cryptography September, 1997 (1997)

  77. Patarin, J., Courtois, N., Goubin, L.: Quartz, 128-bit long digital signatures. In: Cryptographer’ Track at the RSA Conference, pp. 282–297. Springer (2001)

  78. Pornin, T.: New efficient, constant-time implementations of Falcon. Cryptology ePrint Archive, Report 2019/893 (2019). https://eprint.iacr.org/2019/893

  79. Proos, J., Zalka, C.: Shor’s discrete logarithm quantum algorithm for elliptic curves. arXiv preprint arXiv:quant-ph/0301141 (2003)

  80. Qu, M.: SEC 2: Recommended elliptic curve domain parameters. Certicom Res., Mississauga, ON, Canada, Tech. Rep. SEC2-Ver-0.6 (1999)

  81. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)

    Article  MathSciNet  Google Scholar 

  82. Rescorla, E.: The transport layer security (TLS) protocol version 1.2. Online: https://tools.ietf.org/html/rfc5246 [accessed: April 2021] (2008)

  83. Rescorla, E.: The transport layer security (TLS) protocol version 1.3. Online: https://tools.ietf.org/html/rfc8446 [accessed: April 2021] (2018)

  84. Reyzin, L., Reyzin, N.: Better than BiBa: short one-time signatures with fast signing and verifying. In: Australasian Conference on Information Security and Privacy, pp. 144–153. Springer (2002)

  85. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  Google Scholar 

  86. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptol. ePrint Arch. 2006, 145 (2006)

    Google Scholar 

  87. Schaad, J., Cellars, A., Ramsdell, B., Turner, S.: Secure/multipurpose internet mail extensions (S/MIME) Version 4.0 message specification. Online: https://tools.ietf.org/html/rfc8551 [accessed: April 2021] (2019)

  88. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)

    Article  MathSciNet  Google Scholar 

  89. Sikeridis, D., Kampanakis, P., Devetsikiotis, M.: Post-quantum authentication in TLS 1.3: a performance study. In: 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society (2020)

  90. SWIFT: How much do you pay for your PKI solution? Online: https://www.swift.com/file/ 29886/download?token=ic6vj_vD [accessed: April 2021] (2016)

  91. Takahashi, Y., Kunihiro, N.: A quantum circuit for shor’s factoring algorithm using 2n+2 qubits. Quantum Inf. Comput. 6(2), 184–192 (2006)

    MathSciNet  MATH  Google Scholar 

  92. Tan, T.G., Zhou, J.: Layering quantum-resistance into classical digital signature algorithms. In: International Conference on Information Security, pp. 26–41. Springer (2021)

  93. VASCO: VASCO Announces Bankruptcy Filing by DigiNotar B.V. Online: https://web.archive.org/web/20110923180445http://www.vasco.com/company/press_room/news_archive/2011/news_vasco_announces_bankruptcy_filing_by_diginotar_bv.aspx [accessed: April 2021] (2011)

  94. Wallden, P., Kashefi, E.: Cyber security in the quantum era. Commun. ACM 62(4), 120 (2019)

    Article  Google Scholar 

Download references

Funding

This project is partially supported by the Ministry of Education, Singapore, under its MOE AcRF Tier 2 grant (MOE2018-T2-1-111).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Teik Guan Tan.

Ethics declarations

Conflict of Interest

Teik Guan Tan declares that he has no conflict of interest. Pawel Szalachowski declares that he has no conflict of interest. Jianying Zhou declares that he has no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This project is partially supported by the Ministry of Education, Singapore, under its MOE AcRF Tier 2 grant (MOE2018-T2-1-111).

Appendices

Appendix: Digital Signing Background

Applications use digital signatures to achieve data integrity, user authenticity, and message non-repudiation. Between Alice and Bob, data integrity ensures that any message sent from Alice to Bob can be verified by Bob if the message received was unmodified, or had been modified in transit. User authenticity ensures that Bob is able to ascertain if Alice is who she claims she is. Message non-repudiation ensures that Bob is able to prove that the message originated from Alice, and Alice is unable to deny that proof. While data integrity and user authenticity can also be achieved using other security primitives such as message authentication codes (MAC), only digital signatures can provide the non-repudiation capability that is needed in many business applications.

1.1 Digital Signature Scheme

We define a digital signature scheme as a triple of polynomial-time signing functions KeyGen, Sign, Ver with the following parameters:

\(KeyGen(1^{n})\Rightarrow (K_s,K_p)\) takes in a security parameter \(1^{n}\) which defines the cryptographic key strength of n, and outputs a secret key \(K_s\) and corresponding public key \(K_p\).

\(Sign(M,K_s) \Rightarrow (\sigma )\) takes in a message M and the secret key \(K_s\), and outputs a signature \(\sigma \).

\(Ver(M,K_p,\sigma ) \Rightarrow (result)\) takes in a message M, the public key \(K_p\) and signature \(\sigma \), and outputs accept if and only if \(\sigma \) is a valid signature generated by \(Sign(M,K_s)\).

A digital signature scheme is deemed secure if it is proven to be existential unforgeable under chosen message attack (EUF-CMA) [39]. The EUF-CMA experiment, described below, between Alice and adversary Mallory seeks to prove that Mallory will not be any closer to forging a signature despite multiple interactions with Alice.

  1. 1.

    Alice performs KeyGen and sends the public key \(K_p\) to Mallory.

  2. 2.

    Mallory can choose a message \(M_i\) and ask Alice to sign the message.

  3. 3.

    Alice signs the message \(M_i\) using \(Sign(M_i,K_s)\) and returns the signature \(\sigma _i\) to Mallory. Steps 2) and 3) are repeated multiple times.

  4. 4.

    At the end of the experiment, Mallory has to output a message \(M'\) that is not within the set of messages \(M_i\) requested in Step 2), and also a signature \(\sigma '\) that will return accept when \(Ver(M',K_p,\sigma ')\) is called.

1.2 Threat from Quantum Computers

Quantum computers work on the concept of a quantum bit (qubit) where each qubit can exist in a state of superposition between states 0 and 1 during computation, until the qubit is finally accessed. During computation, quantum algorithms use quantum gates or circuits to make qubits interact by the principles of superposition, interference, and entanglement to achieve computational speed-ups that are not possible in classical computers. Cybersecurity threats posed by quantum computers may come in different forms [59, 94], but they all stem from the vulnerability caused by Shor’s algorithm [88] running on a quantum computer. NIST has also highlighted the need to protect public key cryptography against Shor’s algorithm in their update [69] and white paper [11].

The security of the RSA cryptosystem is based on the hard problem of factorizing a very large modulus m which is a multiple of 2 prime factors p and q [85]. In order to cryptanalyze an RSA key, the prime factors p and q need to be recovered, given the modulus m. The classical factorization algorithm is described in Algorithm 1.

figure c

Shor’s algorithm [88] comes into play only in step 12 of Algorithm 1 where no classical or probabilistic polynomial-time algorithm exists for the order finding problem. Through the use of phase estimation and quantum Fourier transform, Shor’s algorithm achieves polynomial-time complexity to find the order r for \(a^r \equiv 1 \ mod \ m\) where m is the modulus and a is a random less than \(\frac{m}{2}\). This effectively reduces the time required to find an RSA private key from billions of years to a matter of hours, thus breaking any EUF-CMA security assumption. The number of qubits needed on a quantum computer to break the RSA cryptosystem is estimated at \(2n+2\) [91] where n is the size of the modulus in bits. This means that there needs to be a 4,000+ qubit Quantum computer to break an RSA-2048 signature. Shor’s algorithm can also be adapted to solve the discrete logarithm problem and the number of qubits to break ECDSA is “roughly” 6n [79], or a 1,500+ qubits Quantum computer to break an ECDSA-256 bit signature.

Post-Quantum Digital Signatures

We briefly cover the various families of post-quantum digital signature algorithms being evaluated for PQC below and highlight where the six remaining candidate algorithms in the NIST PQC round 3 are.

1.1 Lattice-based Cryptography

Lattice-based cryptography has by far gained the most attention as the potential PQC candidate to address the threat of quantum computers. We believe that the interest is due to the flexibility of the lattice structure to support both encryption and digital signing, as well as the reasonable key and signature sizes of 10–20Kbits for a 128-bit security strength. Of all the categories classified under the NIST PQC Standardization, only lattice-based cryptography has round 3 candidates in both key exchange and digital signing.

Lattice-based cryptography is a class of cryptographic primitives built on a multi-dimensional lattice structure and first used by Ajtai in 1996 [2]. Ajtai presented a cryptographic construction using lattices based on the short integer solution (SIS) problem and showed it secure in the average case if the shortest vector problem (SVP) was hard in the worst case. Goldreich, Goldwasser, and Halevi (GGH) [37] introduced a more practical variant based on the lattice-reduction or closest vector problem. GGH eventually gave rise to other SVP lattice algorithms such as Nth degree Truncated Polynomial Ring Unit (NTRU) [44]. Regev [81] used a different hard problem based on learning with errors (LWE) problem and showed that it was similarly secure if lattice problems were hard in the worst case.

Using SVP and its variants, Gentry, Peikert, and Vaikuntanathan (GPV) [34] formalized a provably secure (over classical and quantum oracle models) hash-and-sign trapdoor approach to digital signing over lattices. The trapdoor, in this case, refers to the short basis (or private key) of the lattice that is used to generate the short vector (or signature) which points to the hash of the message on the lattice. A different class of non-trapdoor signatures over lattices using the Fiat–Shamir’s heuristic [31] was proposed by Lyubashevsky [61].

There are two lattice-based candidate signature algorithms in round 3 of the NIST PQC Standardization as finalists:

  • Dilithium is part of Crystals (Cryptographic Suite for Algebraic Lattices, www.pq-crystals.org) which includes both a key-exchange algorithm, Kyber, and a digital signature algorithm, Dilithium. Dilithium uses Fiat–Shamir’s signing scheme [31] on a module-LWE problem. The designers deliberately wanted to reduce the public key and signature sizes by improving on the work by Bai and Galbraith [8] and added the concept of “hints” [42] to do so.

  • Falcon (Fast-Fourier Lattice-based Compact Signatures over NTRU, www.falcon-sign.info) is based on GPV [34] by applying the SIS problem over NTRU lattices [44]. For the trapdoor sampling, the designers used fast Fourier sampling to improve signing time while achieving a shorter short vector.

1.2 Code-based Cryptography

Code-based cryptography was proposed by McEliece [65] in 1978 which described an asymmetric key cryptographic system based on the hardness of decoding a generic linear code, an NP-hard problem. A linear code is essentially a form of error-correcting codes with linear combination properties. The private key in code-based cryptography is typically a code C, which has the ability to correct t errors. When sending a message, the sender will encode the message with the public key and include t errors within the encoding, and the receiver with code C will be able to decode the message while accurately correcting the errors. Typical key sizes for code-based cryptography exceed 1Mbits to achieve 128-bit strength in security.

There were two digital signature proposals in the NIST PQC Standardization round 1, but both had attacks published in the subsequent public consultation and neither managed to move to round 2 [68].

1.3 Multivariate Cryptography

Multivariate cryptography is a broad class of cryptographic techniques encompassing algorithms that rely on the difficulty of solving n unknowns (or variables) within p multivariate polynomial equations. When performing digital signing, the set of p equations (with s unknowns) is the public key while the appropriate values of n is the signature. During signing, the signer is in possession of the private key which consists of two affine transformations and a carefully crafted set of polynomial equations that allow for the trapdoor function computation of n from the hash of the message. The verifier can apply n into the p equations to verify that the output of the p equations corresponds to the hash of the message that is signed. While it sounds intuitively NP-hard, much of the security lies with the underlying multivariate scheme, the choice of the parameters s and p, and the design of the trapdoor function needed to support public key cryptography [22].

One of the earliest multivariate cryptographic constructs was by Matsumoto and Imai [64] who proposed C* in 1988. It was subsequently broken by Patarin [74] who used the general principle to introduce Hidden Field Equations (HFE) [75] and balanced oil and vinegar [76]. Kipnis, Pararin, and Goubin then introduced unbalanced oil and vinegar (UOV) [55] which is the basis for Rainbow [24]. The attractiveness of multivariate cryptography as a PQC candidate lies in its promise to have a much smaller key size. Sflash [3], a C* variant, was included in European Consortium NESSIE Project in 2003 due to its ability to fit in an 8-bit smartcard. but was broken in 2007 [25].

There are two multivariate-based candidate signature algorithms in round 3 of NIST PQC Standardization:

  • Rainbow was first introduced in 2005 [24] as a generalization of UOV to allow for multiple layers, each with different parameters chosen. Additional layers could improve the security strength of the overall signature construct, but impacts the efficiency and resources needed by the proving and verifying entities. Rainbow is a NIST PQC Standardization round 3 finalist.

  • GeMSS (A Great Multivariate Short Signature, www-polsys.lip6.fr/Links/NIST/GeMSS.html) is based on HFE [75] and enhances the work from Quartz [77]. Quartz already generates very small signatures of 128 bits, and the designers designed GeMSS as a faster variant of Quartz with better signing efficiency. GeMSS is a NIST PQC round 3 alternate candidate.

1.4 Hash-based Cryptography

Hash-based digital signature was first introduced by Lamport in 1979 [57]. The concept relies on the difficulty of finding the pre-image of the hash function which is essentially the pre-image resistance property in good one-way hash functions. Hash-based digital signatures are notorious for their large signature sizes, and a limited key lifetime since the pre-image (when used as the secret key) can only be used once. On the other hand, interests remain high to use hash-based cryptography as a post-quantum algorithm due to its proven resistance against quantum computers. Using a quantum computer, an adversary can only maximally [12] achieve quadratic speedup when using Grover’s algorithm [40] to carry out a brute-force search to find the pre-image of a hash.

There have been several improvements to Lamport’s one-time signature (OTS) through variations in the use of Merkle trees [45, 46, 66] to extend the function of the secret key into a multi-use derivation secret, as well as to reduce the size of the signature. This formed the basis of stateful hash-based signatures [15, 60]. To achieve a finite number of stateless signatures, Reyzin’s few-time signature Hash-to-Obtain-Random-Subset (HORS) [84] is used to transform an OTS into an N-time signature scheme where the same private key can be used to securely sign N signatures. As each signature reveals a portion of the private key, there is a security degradation from the \(N+1\) signature onwards. SPHINCS by Bernstein et. al. [13] builds on Goldreich’s [36] stateless hyper tree construct to obtain more private signing keys and uses HORST (adapted from HORS with trees) as the leaves of the trees to increase the number of signatures per key.

SPHINCS\(^+\) (Stateless Practical Hash-based Incredibly Nice Cryptographic Signatures, www.sphincs.org) is a stateless hash-based signature. It improves on SPHINCS’ [13] HORST design to obtain faster and small signatures. SPHINCS\(^+\) is the only hash-based digital signing candidate in round 3 of NIST PQC Standardization as an alternate candidate.

1.5 Isogeny-based Cryptography

Isogeny refers to the mathematical mapping or morphism between two mathematical structures. In the case of [86], the public key system is based on the difficulty of finding the isogeny of two elliptic curves. In a mapping over an elliptic curve E where the secret isogeny \(\phi \) is mapped to \(E/{<}P{>}\), and the secret isogeny \(\psi \) is mapped to \(E/{<}Q{>}\), revealing E, \(E/{<}P{>}\), and \(E/{<}Q{>}\) does not allow the adversary to know \(\phi \) or \(\psi \). Hence, similar to a Diffie–Hellman key exchange, two communicating parties can each generate a respective secret \(\phi \) and \(\psi \) and arrive at \(E/{<}P,Q{>}\) to form a shared-secret securely. The most promising advantage of isogeny-based cryptography is the size of the keys which is relatively small compared to the other schemes. As the isogenies are based on elliptic curves, key sizes range from 768 bits to 1024 bits for an equivalent 128-bit strength in security. Unfortunately, no isogeny-based digital signature schemes were submitted for the NIST PQC Standardization. Hence, isogeny-based cryptography as with code-based cryptography is only considered for PQC key exchange.

1.6 Zero Knowledge

Zero-knowledge proofs have their origins in 1985 when Goldwasser, Micali, and Rackoff [38] defined the concept of zero knowledge as proof that “convey no additional knowledge other than the correctness of the proposition.”

Non-interactive zero-knowledge proofs of knowledge constructions such as MPC-in-the-head [49] and ZKBoo [35] rely on multiparty computation (MPC) with collision-resistant one-way functions, which could be in the form of strong hash functions (e.g., SHA2-256, SHA3-384) or symmetric key encryption functions (e.g., AES-256) to complete the proof. Informally, the MPC zero-knowledge proof works by the prover splitting the secret into multiple shares (e.g., using exclusive-OR) and committing to the hash of each share. When the verifier challenges the prover on a subset of the shares, the prover is able to produce a “view” for the subset without revealing the actual values. Repeated challenges will increase the level of assurance in the proof.

Picnic (https://microsoft.github.io/picnic) is the only zero-knowledge proof digital signature scheme in round 3 of NIST’s PQC Standardization as an alternate candidate. It uses ZKB++ [19], a variant of ZKBoo, as the zero-knowledge proof where the underlying MPC circuit is the LowMC encryption scheme and the hash function used is SHAKE (a SHA-3 derived function). The Picnic signature scheme is made non-interactive through the use of either the Fiat–Shamir or the Unruh transform.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tan, T.G., Szalachowski, P. & Zhou, J. Challenges of post-quantum digital signing in real-world applications: a survey. Int. J. Inf. Secur. 21, 937–952 (2022). https://doi.org/10.1007/s10207-022-00587-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-022-00587-6

Keywords

Navigation