# Digital signatures over hash-entangled chains

- 40 Downloads

**Part of the following topical collections:**

## Abstract

In this work we introduce a new approach for digital signature based on hash chains. The method is supported on the well known security principles of hash functions. Some main advantages of this public key system include security and estimated efficiency through the so called signature chains. In addition, the algorithm is a promissory alternative for digital signatures for the quantum era.

## Keywords

Hash Chain Digital signature## 1 Introduction

Generally speaking, a digital signature covers the methods useful to demonstrate irrevocably that a user has written a digital message. To achieve the goal, such algorithms have exploited some computational problems based on modular arithmetic or the security properties of hash functions. Unfortunately, methods based on the integer factorization problem or discrete logarithm fail under Shor’s algorithm for the quantum era [1]. By contrast, hash functions are considered a good alternative to construct post-quantum algorithms [2]. In such scenario, we have developed a new method based on what we call hash-entangled chains. The term hash-entangled denotes that a hash-chain is linked to a previous chain. Later, we will give detail about the algorithm. First, in the next section, we will describe briefly some of the most relevant systems for digital signatures. Next, we will introduce the hash-entangled method to discuss, right away, the security issues and performance of the algorithm.

### 1.1 Digital signatures

Some methods have been developed to perform digital signatures. We can mention two main algorithms emerged among modular arithmetic which are based on the difficulty of the integer factorization problem: the RSA cryptosystem [3, 4] and the Rabin cryptosystem [5]. Also, the Digital Signature Algorithm (DSA) [4, 6, 7] is based on the difficulty of the discrete logarithm problem.

Well known security foundations

A variety of algorithms is available

A promissory alternative to be post-quantum

Easy and fast to compute hash chains

Specific hardware has been developed to compute hash chains

Arbitrary data size input.

Fixed data size output (e.g. 128, 160, 256 bits, etc).

Feasible to compute. Is easy to compute

*f*(*x*) for all*x*.One way function. For any given hash value

*h*it is computationally infeasible to find*x*given \(f(x)=h\).Resistant to collision simple. For any given input

*x*, it is computationally infeasible to find \(y \ne x\) so that \(f(y) = f(x)\).Resistant to strong collision. It is computationally infeasible to find any pair (

*x*,*y*) in such a way that \(f(x)=f(y)\).

## 2 Digital signatures using hash-chains

For the present discussion, a hash chain is computed from a secret seed *s* then performing a hash chain whose length is fixed to \(2^n-1\) (*n* could be chosen between 128, 160, 256, etc.). After applying the hash function over the seed it yields the head of the chain \(f^{2^{n}-1}(s)\). If some middle point of the chain is shared or revealed, say \(f^{2^{n}-1-x}(s)\), this value conducts to \(f^{2^{n}-1}(s)\) by applying successively *x* times the hash function, that is \(f^{x}(f^{2^{n}-1-x}(s))=f^{2^{n}-1}(s)\).

From the previous discussion, a message can be signed in the following manner: Alice publishes \(f^{2^{n}-1}(s)\) where *s* is a secret number and *n* is publicly shared and it is fixed. Now, taking the hash of the message to be signed say \(f(m)=h\) Alice publishes *m* and \(f^{2^{n}-1-h}(s)\). Any user who wants to verify the signature just compute *h* and from here \(f^{h}(f^{2^{n}-1-h}(s))=f^{2^{n}-1}(s)\).

*k*be the number of the hash chains to be used. The effect of increasing

*k*will be discussed later.

### 2.1 Digital signatures using multiple hash-chains

- 1.
Alice chooses randomly four seeds \(s_1\), \(s_2\), \(s_3\) and \(s_4\), then she computes the hash-chains \(f^{2^{n}-1}(s_1)\), \(f^{2^{n}-1}(s_2)\), \(f^{2^{n}-1}(s_3)\) and \(f^{2^{n}-1}(s_4)\). For this example, the size of each seed is \(|s_i|=128\) bits. The number

*n*is fixed to 128 /*k*thus the length of the hash chain is \(2^{32}-1\). Now, Alice publishes her public head-chains: \(P_{u_A}= \{f^{2^{32}-1}(s_1), f^{2^{32}-1}(s_2), f^{2^{32}-1}(s_3), f^{2^{32}-1}(s_4)\}\). - 2.
To sign the first message \(m_1\), Alice computes the hash of the message which is denoted as \(h_1=f(m_1)\). Then, she separates the 128 bits in tree portions of 32 bits. Let us denote such portions as \({h_1}^{00}\), \({h_1}^{01}\), \({h_1}^{10}\) and \({h_1}^{11}\). Alice takes the seeds and computes \(f^{2^{32}-1 - {h_1}^{00}}{(s_1)}\), \(f^{2^{32}-1 - {h_1}^{01}}{(s_2)}\), \(f^{2^{32}-1 - {h_1}^{10}}{(s_3)}\) and \(f^{2^{32}-1 - {h_1}^{11}}{(s_4)}\).

- 3.
Alice publishes the message \(m_1\), so any user who wants to verify the signature must check that: \(f^{{h_1}^{00}}( f^{2^{32}-1 - {h_1}^{00}}{(s_1)}) = f^{2^{32}-1}(s_1)\), \(f^{{h_1}^{01}}( f^{2^{32}-1 - {h_1}^{01}}{(s_2)}) = f^{2^{32}-1}(s_2)\), \(f^{{h_1}^{10}}( f^{2^{32}-1 - {h_1}^{10}}{(s_3)}) = f^{2^{32}-1}(s_3)\), \(f^{{h_1}^{11}}( f^{2^{32}-1 - {h_1}^{11}}{(s_4)}) = f^{2^{32}-1}(s_4)\).

- 4.
Finally, Alice generates and publishes the next head chains \(f^{2^{32}-1}(s_5)\) and \(f^{2^{32}-1}(s_6)\), \(f^{2^{32}-1}(s_7)\), \(f^{2^{32}-1}(s_8)\) as they can be seen in Fig. 2. The process continues to sign an undefined number of incoming messages.

## 3 The entanglement algorithm

The security of the method is based in what we call the entanglement algorithm. To describe it, let us consider firstly the case \(k=1\). At the end of this section, we will generalize the algorithm.

Suppose Alice has signed a message \(m_0\) using \(f^{2^{n}-1}(s_0)\), it means she has revealed \(f^{2^{n}-1-h_0}(s_0)\) where \(h_0=f(m_0)\). If Alice signs a new message \(m_1\) so \(h_1=f(m_1)\) an intruder could fake the signature of \(m_1'\) provided \(h_1'< h_1\) where \(h_1'=f(m_1')\) because it is easy to compute the hash chain in such direction (see bottom of Fig. 3).

To surpass such weakness we propose the entanglement algorithm which is based on the fact that in a hash chain after signing a message always remains unused some points at the left of the computed values of the chain. This is so because \(2^n-1\) is the maximum number that could be allocated in the chain so \(2^n-1 > h_i\) (see Fig. 3).

The first step is compute the relation between the complement of \(h_1\) that is \(2^n-1 - h_1\) over the length of the hash chain \(2^n-1\) then projecting it over \(2^n-1 - h_0\) as indicated in Eq. 1. We must demonstrate that in the presence of an attacker who is trying to fake \(h_1\) with \(h_1'\), the point that defines \(\frac{2^n-1 - h_1'}{2^n-1} (2^n-1 - h_0)\) is always at the left of \(\frac{2^n-1 - h_1}{2^n-1}(2^n-1 - h_0)\) in the hash chain of \(s_0\) (see Fig. 3). Such condition is represented in Eq. 2. We must remark that \(\delta x_1\) defines a unique point inside the hash chain according to hash principles (see Fig. 3). The steps indicated after Eq. 2 allow us to conclude that \(h_1' < h_1\) which is always true as it was commented previously.

- 1.
Assume Alice has previously published \(f^{2^n-1} (s_{1})\). To sign the message \(m_1\) Alice computes the chain ratio \(\delta x_1\) to obtain \(f^{2^n-1 - h_0 - \delta x_1}(s_{0})\), then she publishes it along \(m_1\).

- 2.Using \(m_0\) and \(m_1\) Bob computes \(\delta x_1\) and verifies that:
\(f^{\delta x_1}(f^{2^n-1 - h_0 - \delta x_1}(s_{0})) = f^{2^n-1 - h_0}(s_0)\) (remember that \(f^{2^n-1 - h_0}(s_0)\) has been previously published by Alice.

\(f^{h_1}(f^{2^n-1 - h_1}(s_{1})) = f^{2^n-1}(s_1)\).

As stated before, if \(h_1' > h_1\), Eve would try to forge the message \(m_1'\) but this condition violates Eq. 2. This requires Eve to compute the hash function from \(f^{2^n-1 - h_0 - \delta x_1}(s_{0})\) to \(f^{2^n-1 - h_0 - \delta x_1'}(s_{0})\) (see Fig. 3). This operation implies reversing (several times) the hash function which it is assumed to be computationally infeasible.

### 3.1 Single-chain

Firstly, Bob must verify the hash of the first two messages signed by Alice \(h_0=f(m_0)\) and \(h_1=f(m_1)\).

Then he computes \(\delta x_1 = h_1 - \frac{h_0 h_1}{2^n-1}\).

Using \(f^{2^n-1 - h_1 - \delta x_1}(s_{0})\) Bob verifies that \(f^{\delta x_1}(f^{2^n-1 - h_1 - \delta x_1}(s_{0})) = f^{2^n-1 - h_1}(s_{0})\).

Bob obtains the hash of the next message \(h_2=f(m_2)\).

Using \(f^{2^n-1 - h_2 - \delta x_2}(s_{1})\) Bob verifies that \(f^{\delta x_2}(f^{2^n-1 - h_2 - \delta x_2}(s_{1})) = f^{2^n-1 - h_2}(s_{1})\).

The verification process continues until Bob reaches the current signature executed by Alice.

- 1.
\(h_i\)

- 2.
\(f^{2^n-1}(s_{i})\)

- 3.
\(f^{2^n-1 - h_i }(s_i)\)

- 4.
\(f^{2^n-1 - h_i - \delta x_{i+1}}(s_i)\)

- 1.
\(h_i\)

- 2.
\(f^{2^n-1 - h_i }(s_i)\)

- 3.
\(f^{2^n-1 - h_i - \delta x_{i+1}}(s_i)\)

## 4 Performance analysis

As discussed before, using a 256-bit hash requires to compute the hash chain as \(f^{2^{256}-1}(s)\) which could be and extremely heavy process. However, as commented earlier the hash of the message can be divided into *k* chains.

We will analyze the performance of the signature method for some *k* values at a hash rate of 15,840,454 hash/s according to the data published on the site bitcointalk.org. Let us call *N* to the size of the hash function used in the signature process. So we have \(N = \sum _{i=1}^{k} \cdot n_i\). For example, if \(N=128\) and \(k=4\) they are generated four chains of 64 bits.

The hash length is \(N=256\)

\(k: f^{2^n-1}(s_i)\) where \(i=1, \ldots , k\) | \(k \cdot 256\) (bits) | Number of hashes | Required time (s) |
---|---|---|---|

\(2: f^{|128|}(s_1), f^{|128|}(s_2)\) | 512 | \(2^{128}\)–\(10^{38}\) | \(\sim 10^{31}\) |

\(4: f^{|64|}(s_1), f^{|64|}(s_2), \ldots f^{|64|}(s_4)\) | 1024 | \(2^{64}\)–\(10^{18}\) | \(\sim 10^{11}\) |

\(8: f^{|32|}(s_1), f^{|32|}(s_2), \ldots f^{|32|}(s_8)\) | 2048 | \(2^{32}\)–\(10^{8}\) | \(\sim 10^{1}\) |

\(16: f^{|16|}(s_1), f^{|16|}(s_2), \ldots f^{|16|}(s_{16})\) | 4096 | \(2^{16}\)–\(10^{4}\) | \(\sim 10^{-3}\) |

\(32: f^{|8|}(s_1), f^{|8|}(s_2), \ldots f^{|8|}(s_{32})\) | 8192 | \(2^{8}\)–\(10^{1}\) | \(\sim 10^{-6}\) |

\(N=160\) bits at a hash speed of \(10^{7}\) hash/s

\(k: f^{2^n-1}(s_i)\) where \(i=1, \ldots , k\) | \(k \cdot 160\) (bits) | Number of hashes | Required time (s) |
---|---|---|---|

\(2: f^{|80|}(s_1), f^{|80|}(s_2)\) | 320 | \(2^{80}\)–\(10^{23}\) | \(\sim 10^{16}\) |

\(4: f^{|40|}(s_1), f^{|40|}(s_2), \ldots f^{|40|}(s_4)\) | 640 | \(2^{40}\)–\(10^{11}\) | \(\sim 10^{4}\) |

\(8: f^{|20|}(s_1), f^{|20|}(s_2), \ldots f^{|10|}(s_8)\) | 1280 | \(2^{20}\)–\(10^{6}\) | \(\sim 10^{-1}\) |

\(16: f^{|10|}(s_1), f^{|10|}(s_2), \ldots f^{|5|}(s_{16})\) | 2560 | \(2^{10}\)–\(10^{2}\) | \(\sim 10^{-5}\) |

\(N=128\) bits at a hash speed of \(10^{7}\) hash/s

\(k: f^{2^n-1}(s_i)\) where \(i=1, \ldots , k\) (bits) | \(k \cdot 128\) | Number of hashes | Required time (s) |
---|---|---|---|

\(2: f^{|64|}(s_1), f^{|64|}(s_2)\) | 256 | \(2^{64}\)–\(10^{18}\) | \(\sim 10^{11}\) |

\(4: f^{|32|}(s_1), f^{|32|}(s_2), \ldots f^{|32|}(s_4)\) | 512 | \(2^{32}\)–\(10^{8}\) | \(\sim 10^{1}\) |

\(8: f^{|16|}(s_1), f^{|16|}(s_2), \ldots f^{|16|}(s_8)\) | 1024 | \(2^{16}\)–\(10^{4}\) | \(\sim 10^{-3}\) |

\(16: f^{|8|}(s_1), f^{|8|}(s_2), \ldots f^{|8|}(s_{16})\) | 2048 | \(2^{8}\)–\(10^{1}\) | \(\sim 10^{-6}\) |

\(32: f^{|4|}(s_1), f^{|4|}(s_2), \ldots f^{|4|}(s_{32})\) | 4096 | \(2^{4}\)–\(10^{0}\) | \(\sim 10^{-7}\) |

Some promising results are 128 bit-hash and 1024 bits key-size, 160 bit-hash with 1280 key-bit and 256 bit-hash with 4096 key-bit

\(k: f^{2^n-1}(s_i)\) where \(i=1, \ldots , k\) | Hash function (bits) | Key size (bits) | Number of hashes | Required time (s) |
---|---|---|---|---|

\(8: f^{|16|}(s_1), f^{|16|}(s_2), \ldots f^{|16|}(s_8)\) | 128 | 1024 | \(2^{16}\)–\(10^{4}\) | \(\sim 10^{-3}\) |

\(8: f^{|20|}(s_1), f^{|20|}(s_2), \ldots f^{|20|}(s_8)\) | 160 | 1280 | \(2^{20}\)–\(10^{6}\) | \(\sim 10^{-1}\) |

\(8: f^{|32|}(s_1), f^{|32|}(s_2), \ldots f^{|32|}(s_8)\) | 256 | 2048 | \(2^{32}\)–\(10^{8}\) | \(\sim 10^{1}\) |

\(16: f^{|16|}(s_1), f^{|16|}(s_2), \ldots f^{|16|}(s_{16})\) | 256 | 4096 | \(2^{16}\)–\(10^{4}\) | \(\sim 10^{-3}\) |

### 4.1 System implementation

16 points marked with the number 3 in the chain starting with \(s_0\).

16 verification points marked with the number 3 in the chain of \(s_1\).

16 new head-chains, points marked with the number 3 in the chain of \(s_2\).

16 hashes, points marked with the number 2 in the chain of \(s_0\) used by the web system to replace the head-chains (marked with the number 1 in the chain of \(s_0\) in Fig. 6).

The hash of the message written as hash File\(\_\)1 in Fig. 7.

He can go from the (16) points marked with the number 3 to the (16) points marked with the number 2 in the chain of \(s_1\).

Bob can move from the (16) points marked with the number 3 to the (16) points marked with the number 2 in the chain of \(s_0\).

The verification of the signature file takes around 0.3 s in our implementation. However, verification of the single-chain varies according to its length, occupying few minutes to complete the verification.

### 4.2 Applications

Comparative analysis between some of the main blockchain-based protocols

Protocol | Data base | Signature (s) | Verification of the chain | Block size | Total size | Q |
---|---|---|---|---|---|---|

Bitcoin | Blockchain | \(10^{-3}\) | Minutes to hours | \(\sim\) MB | 242 GB | No |

Ethereum | \(10^{-3}\) | 10–20 s | \(\sim\) kB | 600 GB | No | |

Single-chain | Distributed | 1.6–2.6 | 1–2 min | \(\sim\) kB | – | Yes |

To reduce the time to verify the single-chain of each user, it could be defined middle certificated points. It could be explored in a future implementation work.

## 5 Conclusions

Signature methods developed so far using hash functions are either ephemeral, as Lamport signature or they are not completely scalable as Merkle trees or Lizama hash signature. In this work, we have introduced a new approach based on hash functions and hash chains, which is capable to work over a public key infrastructure so that users can initialize remotely their hash-chain in its own computational device.

The signature method, which can exploited as a single block chain is based on the security principles of hash functions and our analyses suggests that the signature chains introduced here are scalable with today’s hash technology. The method does not require other math function apart of hash function, therefore the algorithm is a promissory alternative for digital signatures in the quantum era.

## Notes

### Compliance with ethical standards

### Conflict of interest

The author declares that they have no competing interests.

## References

- 1.Shor PW (1994) Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, 1994 proceedings. IEEE, pp 124–134Google Scholar
- 2.Buchmann JA, Butin D, Göpfert F, Petzoldt A (2016) Post-quantum cryptography: state of the art. In: Ryan P, Naccache D, Quisquater JJ (eds) The new codebreakers. Springer, Berlin, pp 88–108CrossRefGoogle Scholar
- 3.Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126MathSciNetCrossRefGoogle Scholar
- 4.FIPS P (2009) 186-3. Digital signature standard (DSS)Google Scholar
- 5.Rabin MO (1979) Digitalized signatures and public-key functions as intractable as factorization. Tech. rep., Massachusetts Inst of Tech Cambridge Lab for Computer ScienceGoogle Scholar
- 6.FIPS N (1998) 186-1. Digital Signature StandardGoogle Scholar
- 7.FIPS P (2000) 186-2. Digital signature standard (dss). National Institute of Standards and Technology (NIST)Google Scholar
- 8.Lamport L (1979) Constructing digital signatures from a one-way function. Tech. rep., Technical Report CSL-98, SRI International Palo AltoGoogle Scholar
- 9.Merkle RC (1982) Method of providing digital signatures. US Patent 4,309,569Google Scholar
- 10.Merkle RC (1987) A digital signature based on a conventional encryption function. In: Advances in cryptology, CRYPTO 87. Springer, pp 369–378Google Scholar
- 11.Merkle RC (1989) A certified digital signature. In: Advances in cryptology, CRYPTO 89 proceedings. Springer, pp 218–238Google Scholar
- 12.Adrián LPL, Javier MAL, Seleyda HMF, Adrián LSL, Eric S-A (2019) Public hash signature for mobile network devices. Ing Investig Tecnol 20(2):1–10Google Scholar
- 13.Perlner RA, Cooper DA (2009) Quantum resistant public key cryptography: a survey. In: Proceedings of the 8th symposium on identity and trust on the internet. ACM, pp 85–93Google Scholar
- 14.Nielsen MA, Chuang IL (2010) Quantum computation and quantum information. Cambridge University Press, CambridgeCrossRefGoogle Scholar
- 15.Dattani NS, Bryans N (2014) Quantum factorization of 56153 with only 4 qubits. arXiv preprint arXiv:1411.6758
- 16.Dridi R, Alghassi H (2016) Prime factorization using quantum annealing and computational algebraic geometry. arXiv preprint arXiv:1604.05796
- 17.Bennett CH, Brassard G (1984) Quantum cryptography: public key distribution and coin tossing. In: Int. conf. on computers, systems and signal processing, Bangalore, pp 175–179Google Scholar
- 18.Lizama-Pérez LA, López JM, De Carlos-López E, Venegas-Andraca SE (2014) Quantum flows for secret key distribution in the presence of the photon number splitting attack. Entropy 16(6):3121–3135MathSciNetCrossRefGoogle Scholar
- 19.Lizama-Pérez LA, López JM, De Carlos López E (2016) Quantum key distribution in the presence of the intercept-resend with faked states attack. Entropy 19(1):4CrossRefGoogle Scholar