Evaluation of Post-Quantum Distributed Ledger Cryptography

This paper evaluates the current cybersecurity vulnerability of the prolific use of Elliptical Curve Digital Signature Algorithm (ECDSA) cryptography in use by the Bitcoin Core, Ethereum, Bitcoin Cash, and enterprise blockchains such as Multi-Chain and Hyperledger projects Fabric, and Sawtooth Lake. These blockchains are being used in media, health, finance, transportation and government with little understanding, acknowledgment of the risk and no known plans for mitigation and migration to safer public-key cryptography. The second aim is to evaluate ECDSA against the threat of Quantum Computing and propose the most practical National Institute of Standards and Technology (NIST) Post-Quantum Cryptography candidate algorithm lattice-based cryptography countermeasure that can be implemented near-term and provide a basis for a coordinated industrywide lattice-based public-key implementation. Commercial quantum computing research and development is rapid and unpredictable, and it is difficult to predict the arrival of fault-tolerant quantum computing. The current state of covert and classified quantum computing research and advancement is unknown and therefore, it would be a significant risk to blockchain and Internet technologies to delay or wait for the publication of draft standards. Since there are many hurdles Post-Quantum Cryptography (PQC) must overcome for standardisation, coordinated large-scale testing and evaluation should commence promptly.


Introduction
Rapid advances on a global scale in Quantum Computing technologies and the threat it poses to most standardized encryption prompted NIST to put out an international call for candidate quantum-resistant publickey cryptographic algorithms to evaluate for standardization. NIST will conduct efficiency analysis on their reference platform delineated in the Call for Proposals; NIST invites the public to perform similar tests and compare results on additional platforms (e.g., 8-bit processors, digital signal processors, dedicated complementary metal oxide semiconductor (CMOS), etc.) and provide comments regarding the efficiency of the submitted algorithms when implemented in hardware.
This research has two goals; the first is to examine the vulnerabilities in current Asymmetric Digital Signature Cryptography (ASDC) as used in private key generation in Bitcoin Blockchain technology in the PQC era. The second goal is to independently test and evaluate candidate NIST algorithms to assist in the process of selection of acceptable candidate cryptosystems for standardisation and the proposal of potential replacement of ADSC in private key generation in blockchain and distributed ledger technology. Most blockchain and distributed ledger technologies use an asymmetric digital signature scheme for private key generation such as, ECDSA, which has been cloned often from the Bitcoin Blockchain. These digital signature schemes are being implemented in critical sectors of government and the economy. Evaluations will include cryptographic strengths and weaknesses of NIST candidate pool of submitted algorithms. It is expected that the analysis will consist of required performance parameters that include;

Public Key, Ciphertext, and Signature Size, Computational Efficiency of Public and Private Key Operations, Computational Efficiency of Key Generation, and Decryption Failures against NIST provided Known Answer Test values (KAT).
Blockchain and Distributed Ledger cryptography private key generation cyber-security concepts are poorly understood, and often misrepresented.
There is a misconception that Blockchain technology can't "be hacked," resulting in a general endorsement for critical sectors and industries [1]. The author believes that the technology offers excellent cyber-security promise for many areas, but the limitations and strengths must be defined. This work examines the weakness of the ECDSA and its current vulnerability and uses in the Bitcoin Blockchain or Distributed Ledger Technology (DLT). Many industries are rapidly adopting versions or mutations of the first of the Bitcoin Blockchain technology in essential sectors such as information technology, financial services, government facilities, healthcare, and Public Health Sector seemingly, without cybersecurity due diligence, a proper comprehension of the cryptography vulnerabilities or plans for addressing quantum computing threats [2]. The ECDSA is the foundation of Public Key Infrastructure (PKI) for many Internet applications and open source projects, and it's the primary source for public-key cryptography. The second part of this paper offers the most practical and near-term first-round candidate NIST Lattice-Based Post-Quantum Cryptography solution with a recommendation for immediate coordinated (academia, the private sector, government) independent testing, verification, and validation (IV&V) and test framework for sharing results [3]. This framework aids in speeding the approval of PQC standards that are vital to global cybersecurity. The scope of this work evaluates the lattice-based digital signature scheme qTESLA, based on the verifiable hardness of the decisional Ring Learning With Errors (R-LWE) [4]. Quantum computing's threat adversely affects the cybersecurity of financial services such as payment systems, general network communications systems, business functions including cloud computing, Internet of Things (IoT) and critical infrastructure. Further, the author believes that currently estimated timelines for the availability of large-scale fault-tolerant quantum computers are underestimated due to unpredicted global progress and the veil of secrecy surrounding classified research programs led by organizations and governments around the globe. It is, therefore, essential to begin work and testing the most likely candidate algorithms for normalization.

Implications in this work
Current encryption systems and standards such as Ron Rivest, Adi Shamir and Leonard Adleman (RSA), Digital Signature Algorithm (DSA), and ECDSA impact everything from defense, banking, healthcare, energy, telecommunications, intelligence, Internet and the Blockchain. The compromise, disruption or non-availability of one of these sectors would severely impact the health and safety of U.S. national security, public health, safety or its economy.
Blockchain technology is a revolutionary technology that has great potential in many applications. This technology has gained global interest in all industry sectors based on cryptography-based algorithms that are considered vulnerable today but will be increasingly threatened by accelerated advances in quantum computing.

Significance of the findings
The time to test and validate new post-quantum cryptology is now, given it takes at least ten years to build and deliver a new public key infrastructure. The pace at which quantum computing advancements can be anticipated is uncertain. The ability to transition to post-quantum cryptology appears to be very complicated, and there are many unknowns concerning establishing, standardizing and deploying post-quantum cryptography systems. All of this must be completed before the arrival of large-scale quantum computers because the cybersecurity of many vital services will be severely degraded.

Bitcoin and Distributed Ledger Technology
The Bitcoin Cryptocurrency (BTC) is the first widespread application of blockchain technology. The critical elements of Blockchain and DLT have been in existence for decades, and they include fault-tolerance, distributed computing, and cryptography. Succinctly, the first iteration of this technology is a decentralized distributed database that keeps records of transactions relatively secure and in an append-only mode, where all peers eventually come to a consensus regarding the state of a transaction. The Bitcoin Blockchain like others operates in an open peer-to-peer (P2P) network, where each node can function as a client and a server at the same time. The nodes in the system are connected over TCP/ IP and once a new node is connected that node broadcast peer IP addresses via Bitcoin address messages. Each address maps to a unique public and private key; these keys are used to exchange ownership of BTCs among addresses. A Bitcoin address is an identifier of 26 to 35 alphanumeric characters [5] . Since the advent of BTC along with its choice of a data structure, called a block, modified blockchain technologies, makes use of different data structures such as Directed Acyclic Graph (DAGs). Therefore, recent versions of the newest blockchains can longer accurately be called blockchains, and it is more appropriate to use the term Distributed Ledger (DL) that applies to all version of the blockchain. Presently, according to Crypto-Currency Market Capitalizations [6], there are more than 2000 alternate cryptocurrencies, and most make use of the Bitcoin Blockchain or are clones with minor differences in the private key generation cryptography and structure. The primary configuration changes include the underlying hash function, block generation times, data structures and method of distributed consensus. However; the critical task of generating private keys in blockchains remains unchanged across most blockchain adaptions, and this work asserts that the foundation of the current cryptocurrency markets and all the private and public sectors using this technology are vulnerable to the same cybersecurity weaknesses.

ECDSA, libsecp256k1 and OpenSSL
The ECDSA algorithm is part of public-key cryptography and is also the cryptography the Bitcoin blockchain uses to generate the public and private keys. The ECDSA is used in critical infrastructure, secure communications over the Internet, cellular and Wi-Fi and in many blockchain forks in use today. Specifically, the Bitcoin blockchain uses the ECDSA and the Koblitz curve secp256k1 [7] which have significant weaknesses which include general algorithm structure, side-channel attacks, and threats from quantum computers. The Koblitz Curve was not adopted for standardisation by NIST due to the nonrandom structure of the algorithm. The Bitcoin creator selected a non-NIST P-256 approved curve to serve as a source of entropy. Entropy is defined in this case as the randomness inserted by an operating system or application for use in cryptography that requires random data. OpenSSL is an opensource software library used in BTC technology and ECDSA applications to secure communications and many critical infrastructures. OpenSSL [8] provides software Pseudo Random Number Generator (PNRG) based on a variety and type of hardware and software sources. Its core library is written in the C programming language. The process starts once the Bitcoin Core client is installed, and the user receives a set of ECDSA key pairs, called Addresses. The PRNG starts in the state unseeded and this state; it has zero entropy. A call to RAND bytes is made, and it will transfer automatically into the state seeded with a presumed entropy of 256 bits and is feed to the PRNG through a call to RAND add. The keys generated from this process are necessary to transfer BTC from one Address to the other. Next, the client needs to sign a specific message (called Transaction) with the private key of the user. The public key is used to check if the given user has rights to BTC [9].
The ECDSA algorithm relies on generating a random private key used for signing messages and a corresponding public key used for checking the signature. The bit security of this algorithm depends on the ability to compute a point multiplication and the inability to calculate the multiplicand given the original and product points.
The Koblitz curve secp256k1 is non-verifiably random and is defined by Standards for Efficient Cryptography Group (SECG), instead of the NIST 186-3 DSS Standard using the elliptic curve secp256r1. The security of the ECDSA algorithm and protocols relies on a source of distributed random bits.

Fault Attack on Bitcoin's Elliptic Curve with
Montgomery Ladder Implementation.
This Montgomery Ladder Fault Attack method is a fault attack on elliptic curve scalar product algorithms and can be used when the (y-coordinate) is not used. The bit security of the elliptic curve parameters in most cases can be significantly reduced. The Fault attack is a robust side-channel technique that is used to break ECDSA cryptographic schemes. The idea is to inject a fault during the computations of implementation and to use the faulty outputs to deduce information on the secret key stored in the secure component [10]. Table 1 gives the resultant bit security after the Montgomery Ladder Fault Attack.
The bold font indicates the scep256k1 security is below 2 60 since these computations can be easily performed with classical computers. The mention 'r' denotes parameters explicitly recommended in the standard, while the mention 'c' denotes parameters in conformance with the standard. The column "Strength" refers to the standard. Clearly, implementations without protections, the attacker can compute the discrete logarithm in the twist with a cost of 2 50 operations and retrieve the secret scalar for n = 256.

Algorithm Security Strength
Breaking a cryptographic algorithm can be defined as defeating some aspect of the protection that the algorithm is intended to provide. For example, a block cipher encryption algorithm that is used to protect the confidentiality of data is broken if, with an acceptable amount of work, it is possible to determine the value of its key or to recover the plaintext from the ciphertext without knowledge of the key.
The approved security strengths for federal applications are 128, 192 and 256 bits. Note that a security strength of fewer than 128 bits is no longer approved because quantum algorithms reduce the bit security to 64 bits. NIST Special Publication 800-57 Part 1 Revision 4: Recommended for Key Management as shown in Table 2 [11]. The Fault Attack on Bitcoin's Elliptic Curve with Montgomery Ladder Implementation yields security strength of only 50 bits as shown in Table 1.

NIST and Post-Quantum Cryptography
In December 2016, NIST formally announced its Call for Proposals (Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms), [12]. This call solicited   [4]. Public Key Systems based on R-LWE is computationally superior over LWE systems because of reduced overhead, greater capacity for message space and smaller public key sizes.

Selected algorithm for test and evaluation: qTESLA
The author's considerations for the selection qTESLA, are "reasonable" key and ciphertext sizes, and to a lesser extent the number of CPU cycles required for encryption, decryption, and verification, and potential incorporation into constrained devices such as smartphones and emerging IoT devices. Additional considerations included trust, metrics, parameters, migration, compatibility, and efficient and secure implementation. This submission utilizes two approaches for parameter generation. The first approach is called "heuristic qTESLA," and it uses heuristic method parameter generation and the second approach is called "provably-secure qTESLA," and its parameter generation is provably-secure. qTESLA includes five parameter sets that correspond to two security levels located in Table 3.
The security of lattice-based systems is provably secure under worst-case hardness assumptions. In the author's view, it is not  likely that current PQC will be direct replacements for current standards and will likely impact the entire category of Internet protocols, such as Transport Layer Security (TLS) and Internet Key Exchange (IKE).
System parameters can be viewed in Table 4 and Table 5.

Informal Signature Scheme
Informal descriptions of the algorithms that give rise to the signature scheme qTESLA are shown in Algorithms 1, 2 and 3. These algorithms require two basic terms, namely, B-short and well-rounded, which are defined below. Let q, LE, LS, and d be system parameters that denote the modulus, the bound constant for error polynomials, the bound constant for the secret polynomial, and the rounding value, respectively.  Require: Message m, public key pk = (a1, …, ak, t1, …, tk), and signature (z, c) Ensure: "Accept" or "reject" signature  [4].

Performance of post-quantum qTESLA algorithms analysis
To evaluate the performance of the provided implementations written in portable C, the author ran benchmarking suite on three machines powered by: (i) an Intel® Core™ i7-6500 CPU @ 2.50 GHz x 4 (Skylake) processor (see

Analysis
The author argued that the uncertainties had not been appropriately addressed. For example, there is the possibility that additional quantum algorithms or techniques will be developed, which will lead to new and unanticipated attacks. Also, it is difficult to calculate the impact of those programs that are highly classified, and its performance characteristic is not public. Rapid and unpredictable advancements in quantum computing, are endangering or making current encryption schemes obsolete. It has been established that the most significant threat posed by quantum computers is directed towards current RSA, ECC digital signature scheme systems on which Bitcoin, Distributed Ledger and much of Internet-based technology uses.
It has been settled that the current RSA and ECC based public key cryptography are broken, and the AES cryptography is adversely reduced in bit security by quantum computing era. It is the author's view that recommendations such as doubling the AES key size need to be examined while considering the constraints of present systems. Current AES-128 is reduced to 64-bit security, and AES-256 would have 128-bit security.
An example of the impact of doubling the key size for AES-256 to AES-512 is not well documented and verified. This alternative algorithm (AES-512) would most likely use input block size and a key size of 512-bits. An increasing number of rounds and key schedule would adversely impact performance constraints, especially for constrained devices. The higher the key size, the more secure the ciphered data, but also the more rounds needed. In the hardware perspective, a bigger key size also means a larger area and power consumption due to more operations that need to be done. More focus and examination need to be done for AES in the PQC era, especially for constrained devices.
The author specifically, examined the ECDSA that are in use in Bitcoin and Distributed Ledger technologies. Secondly, evaluated NIST Candidate PQC for standardisation and possible replacement in blockchain and other public key cryptography Internet-based technologies. Table 6 gives the ECDSA (P-256) parameters used as the benchmark for comparison regarding the number of quantum security bits, and the size of the public key, secret key and signature key as an independently controlled variable. According to NIST, the use of schemes with less than 112-bit security is deprecated and will eventually be disallowed for use by U.S. government institutions to handle sensitive data. It is noted that that speed at which the encryption and decryption occurs is also an important parameter.   The following results cannot be compared directly with the vendor qTESLA's submitted results, but; specific observations can be made with alternative applications and platforms. It is the author's view that if the key sizes are not manageable and practical for use in conventional and constrained devices, then the time or speed becomes less critical metric compared to key size. Table 7, Table 8 and Table 9 gives the results of the independent tests on respective platforms and performance is measured (in thousands of cycles) of the reference implementation. Results for the median and average (in the first and second table respectively) are rounded to the nearest 10 3 cycles. Signing is performed on a message of 59 bytes.

Recommendations
The PQC Standardisation process is complex, arduous and requires coordinated involvement (academia, private and public sector) and requires significant IV&V before formalization. Successful PQC must be resistant to both classical and quantum attacks. Multiple tradeoffs will have to be considered such as security, performance, key size, signature size, and side-channel resistance countermeasures. Other important considerations are the capability to migrate into new and existing applications such as TLS, IKE, code signing, PKI infrastructure.
It is necessary to begin a coordinated international campaign to mitigate the uncertainties of breakthroughs and the unknowns regarding classified programs. The aim should include, information sharing between the academic, public and private sector toward the common goal.
It is critical to devise and initiate the incorporation of cutting edge yet practical PQC to prevent a disastrous impact on global privacy, security, and economy before the arrival of large-scale fault-tolerant quantum computing.

Conclusion
qTESLA's submission for NIST Security Categories I and III as tested on platforms described in this work are more than two orders of magnitude larger for the public-key for qTESLA-p-1 (128-bit security) and qTESLA-p-III (192-bit security). The qTESLA-p-1 secret key is 56 times the size of ECDSA's secret key and qTESLA-p-III is two orders of magnitude larger.
It is essential to come to a consensus on how to assess quantum security. Currently, there is not a clear agreement on the best way to measure quantum attacks. It is, nevertheless, fundamental that work continues with alternatives that will produce smaller key sizes, comparable to the current ECDSA algorithms. The major drawback with qTESLA is the large key sizes which make it unlikely to be accepted in its current configuration. However, there is ongoing research being done to make it potentially a more viable candidate, both by reducing the key sizes and providing more efficient implementations (see tables 7, 8, 10).
The qTESLA's "Heuristic" submission for NIST Security Categories I and III are qTESLA-I, qTESLA-III-space, and qTESLA-III-size. The vendor claims that their heuristic approach is the security level of an instantiation of a scheme by the hardness level of the instance of the underlying lattice problem. Also, the claim is that it corresponds to these parameters regardless of the tightness gap of the provided security reduction if the corresponding R-LWE instance is intractable.
These claims and the necessary proof are beyond the scope of this work and cannot be independently verified and validated and is not the author's aim. It is important to note that; the results of qTESLA's heuristic algorithm were captured and are analyzed against its provably secure submissions. The heuristic algorithms were tested on the same platforms identified in the provably secure submission. qTESLA-I's public-key size vs. qTESLA-p-1's public-key size is a reduction of 90%. The secret key size at the same bit security level is reduced by 60%, and the signature size is reduced by 52%. Observations for public keys; qTESLA-III-size vs. qTESLA-p-III is reduced by 92%; secret key size reduction is 66%; signature size reduction is 56% (see Table 10).
The difference in the heuristic key sizes are dramatically reduced and compares more favorably to ECDSA (P-256) parameters. While the heuristic values are dramatically reduced compared to the provably secure values, the key sizes are still large compared to current standard ECDSA (P-256) sizes. For  example; the best result for the secret key size for qTESLA-IIIsize (4160) vs. ECDSA (P-256) secret key size (96) is a 4233% increase and would prove problematic in existing systems.

Future Work
The author selected qTESLA's submission which is 1 of 5 NIST Candidate PQC digital signature schemes. Additional work needs to be done in verifying and validating and testing vendors results. Concrete PQC parameters for testing and validation need to be created for the promotion of a baseline. The parameters should be modified to determine the best tradeoffs while maintaining required security. Moreover, the organization of guidelines and standards are necessary for the wider cryptography community to aid in PQC standardisation create efficient, high-quality implementations.
Continued measurements of current PQC scheme implementations should be performed, such as performance and memory usage on the ARM and CMOS platforms. Many embedded devices have ARM and CMOS architecture and have limited computational and memory resources. NIST currently plans a Post-Quantum Cryptography Round 2 call tentatively schedule in 2019 and will offer additional opportunities for IV&V and research.