CPS-0027? | Approaches to Post-Quantum Signatures #1144
+249
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,249 @@ | ||
| --- | ||
| CPS: 27 | ||
| Title: Post-quantum signatures | ||
| Category: Plutus | ||
|
Collaborator
There was a problem hiding this comment. IMO; we need a CPS that covers and indexes all attack surfaces for when a QC hits the scene, so I do not think it is just a plutus problem. As an overview
As you can see, if we get a quantum computer, our consensus and settlement layer will probably be attacked first, so the problem is wider. But from this overview we also see what kind of quantum tools and construction we will need (not only signature schemes); we will also need a VRF, KES construction, and most likely some quantum secure ZK scheme. A complex problem with many open questions. And from a presentation that @hjeljeli32 gave once, I think the best we can do now, is redesign our code base that we can swap in and out our underlying crypto primitives (which is also probably not trivial). This way, we can adapt ourselves to new schemes that pop up, but research needs to drive this solution space.
Collaborator
There was a problem hiding this comment. Given this broader context, another open question is; given that QC has broken the above schemes, how can we ensure that bootstrapping nodes follow the right chain? E.g, QC breaks the forward security of the KES keys that sign blocks
Contributor
Author
There was a problem hiding this comment. I don't disagree with any of this - in fact, I agree very strongly! However, the sheer magnitude of this problem means that no single CPS will cover it reasonably. In fact, the last one that tried got severely bogged down in details and ended up not progressing as a result. The reasons behind why we (meaning 'MLabs') wanted to focus on a specific case of post-quantum security was to prevent exactly this kind of scope blowout and death by details. Specifically, we tried to make for a CPS such that:
It's not that we feel this is necessarily the only, or even the most important, task or set of questions, merely the one we feel most able to tackle in future work (and want feedback on), and the one residing in the area we understand best (as MLabs are responsible for the implementation of quite a few builtins, including CIPs and working with Plutus Core maintainers). Does this help answer your questions? |
||
| Status: Open | ||
| Authors: Koz Ross <koz@mlabs.city> | ||
| Proposed Solutions: [] | ||
| Discussions: | ||
| - Original PR: https://github.com/cardano-foundation/CIPs/pull/1144 | ||
| Created: 2026-01-29 | ||
| License: Apache-2.0 | ||
| --- | ||
|
|
||
| ## Abstract | ||
|
|
||
| Post-quantum cryptography, specifically with regard to digital signatures, is | ||
| important at all levels of the Cardano chain, including for script and dApp | ||
| developers. There is no current way to do this short of implementing such | ||
| functionality yourself, which is difficult, inefficient and risky. This is in | ||
| contrast to pre-quantum signature schemes, which exist as easy-to-use and | ||
| efficient builtins. | ||
|
|
||
| ## Problem | ||
|
|
||
| [Quantum computing][quantum-computing] is a realizable approach to computation | ||
| that threatens to turn a lot of existing security-oriented algorithms on their | ||
| heads. In particular, the existence of [Shor's algorithm][shors-algorithm] means | ||
| that a quantum computer with sufficient resources could break any existing | ||
| cryptographic scheme that relies on integer factorization or discrete logarithms | ||
| for its hardness. As many currently-used public-key cryptography systems rely on | ||
| the hardness of one of these problems, this is a looming concern. In the world | ||
| of blockchain, concerns over quantum computing are also being taken seriously: | ||
| the Ethereum Foundation has elevated post-quantum | ||
| security to a [top strategic priority][ethereum-top-priority] this year, and | ||
| Algorand have [been taking proactive steps][algorand-steps] around post-quantum | ||
| security since at least 2022. In the Cardano ecosystem, The Intersect Product | ||
| Committee's [Cardano 2030 Strategic Framework][2030-strategic-framework] | ||
kozross marked this conversation as resolved.
Show resolved
Hide resolved
kozross marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| describes 'post-quantum readiness' as a focus area for security and resilience. | ||
|
|
||
| The number of problems posed by the looming arrival of quantum computing is | ||
| large, and covers many areas relating to the operation of a blockchain: a single | ||
| CPS could not possibly cover them all. Thus, we examine a specific problem, in a | ||
| specific context, which can be scoped precisely. This stems from several | ||
| considerations: | ||
|
|
||
| * Avoiding scope creep and death by detail. The multifaceted nature, and sheer | ||
| size, of the issue of getting Cardano post-quantum-ready has already [caused | ||
| problems with previous attempts][prior-attempt] leading to their abandonment. | ||
| * The authors are more familiar with the specifics of some problems that would | ||
| need addressing with regard to post-quantum security in the context of | ||
| Cardano. Thus, we chose to focus the CPS around such a problem. | ||
| * Any solutions, or discussions, pertaining to a more specific problem in the | ||
| context of making Cardano post-quantum secure will generalize at least | ||
| somewhat to other problems in that space as well. | ||
|
|
||
| Thus, this CPS will form part of a larger, long-term effort toward making | ||
| Cardano ready for the post-quantum security landscape. Any discussions, or work, | ||
| in a more narrow space or problem will contribute towards future work in other | ||
| areas of Cardano. | ||
|
|
||
| One particular area affected | ||
| strongly by quantum computing breaking several previously-hard problems are | ||
| _digital signatures_, for which specific primitive operations exist on Cardano. | ||
| Currently, script developers have access to builtin operations verifying | ||
| signatures using the following schemes: | ||
|
|
||
| * Edwards-curve digital signature algorithm over the Ed25519 elliptic curve; | ||
| * Edwards-curve digital signature algorithm over the SECP256k1 elliptic curve; | ||
| and | ||
| * Schnorr signatures over the SECP256k1 elliptic curve. | ||
|
|
||
| Practical quantum computing using Shor's algorithm would render all of these | ||
| insecure. This is a significant issue for script and dApp developers who want to | ||
| future-proof the security of their work. While extensions such as CIPs | ||
| [121][cip-121], [122][cip-122] and [123][cip-123] make implementing the logic of | ||
| a different signature verification possible, as shown by projects such as | ||
| [Grumplestiltskin][grumplestiltskin] and the [SHA512 hashing][plutus-sha512] and | ||
| [Ed25519 verification][plutus-ed25519] benchmarks in Plutus, even implementing | ||
| the underlying primitives to support such schemes is a challenging task in | ||
| itself, before we consider performance and the old adage about not 'rolling your | ||
| own crypto'. | ||
|
|
||
| Part of the efforts to make Cardano 'post-quantum ready' must extend such | ||
| capabilities to developers of scripts and dApps to be meaningful. Currently, no | ||
| such possibilities exist in a practically usable way. | ||
|
|
||
| ## Use cases | ||
|
|
||
| The chief use case today for such capabilities are script or dApp developers | ||
| whose work currently relies on digital signatures. A good example of this would | ||
| be an auction system, where bids are signed by the bidders. Concretely, consider | ||
| the following validator code snippet: | ||
|
|
||
| ```haskell | ||
kozross marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| validBidTerms :: AuctionTerms -> CurrencySymbol -> BidTerms -> Bool | ||
| validBidTerms AuctionTerms {..} auctionID BidTerms {..} | ||
| | BidderInfo {..} <- bt'Bidder = | ||
| validBidderInfo bt'Bidder && | ||
| -- The bidder pubkey hash corresponds to the bidder verification key. | ||
| verifyEd25519Signature at'SellerVK | ||
| (sellerSignatureMessage auctionID bi'BidderVK) | ||
| bt'SellerSignature && | ||
| -- The seller authorized the bidder to participate | ||
| verifyEd25519Signature bi'BidderVK | ||
| (bidderSignatureMessage auctionID bt'BidPrice bi'bidderPKH) | ||
| bt'BidderSignature | ||
| -- The bidder authorized the bid | ||
|
|
||
| bidderSignatureMessage | ||
| :: CurrencySymbol | ||
| -> Integer | ||
| -> PubKeyHash | ||
| -> BuiltinByteString | ||
| bidderSignatureMessage auctionID bidPrice bidderPKH = | ||
| toByteString auctionID <> | ||
| toByteString bidPrice <> | ||
| toByteString bidderPKH | ||
|
|
||
| sellerSignatureMessage | ||
| :: CurrencySymbol | ||
| -> BuiltinByteString | ||
| -> BuiltinByteString | ||
| sellerSignatureMessage auctionID bidderVK = | ||
| toByteString auctionID <> | ||
| bidderVK | ||
| ``` | ||
|
|
||
| The snippet uses `verifyEd25519Signature` to check signatures on bids. If a dApp | ||
| developer wanted to make this future-proof against quantum computing attacks | ||
| against the security of these signatures, they currently have no way of doing | ||
| this short of implementing it themselves, with all the downsides previously | ||
| talked about. Even if they had the skills and time to implement a different | ||
| signature scheme verification as part of their script, it would be much less | ||
| efficient than a single builtin call, to say nothing of the security | ||
| implications. The authors have non-trivial experience with regard to all of | ||
| these problems: they are evidenced well by the [Grumplestiltskin | ||
| project][grumplestiltskin], as well as the [SHA512][plutus-sha512] and [Ed25519 | ||
| signature verification][plutus-ed25519] benchmark implementations submitted as | ||
| part of work on CIPs 121, 122 and 123, which exhibit _all_ of the above problems | ||
| in spades. | ||
|
|
||
| Another important use case is that, in the event of a quantum breakthrough, | ||
| post-quantum smart-contract-driven wallets can secure Cardano without having to | ||
| modify the ledger directly. While this is very much a worst-case scenario, | ||
| having this possibility available would be an additional layer of defence | ||
| against quantum computing compromising the chain. Post-quantum digital | ||
| signatures would be required to make this possible, and having such builtins | ||
| would allow it to be implemented easily if the need ever arose. | ||
|
|
||
| ## Goals | ||
|
|
||
| Ultimately, the goal would be to make one (or possibly several) post-quantum | ||
kozross marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| signature schemes available to dApp developers as UPLC builtins, similar to the | ||
| existing builtins for pre-quantum schemes. These should be chosen carefully, as | ||
| the space of post-quantum digital signature schemes has received much less | ||
| scrutiny than the pre-quantum schemes they are going to replace. At minimum, the | ||
| following criteria must be considered: | ||
|
|
||
| * Proofs or guarantees of their security. Being reviewed as part of a NIST | ||
| process, or having some published proofs or demonstrations of the scheme's | ||
| security would be a significant factor. | ||
| * The existence of a reference implementation that can be integrated into | ||
| `cardano-base` (a necessary requirement for builtins doing digital | ||
| signatures). | ||
| * Size of signature and verification key representations. | ||
| * Time required to verify a signature. | ||
| * Existing adoption (including by other chains in case of interoperability | ||
| requirements in the future). | ||
|
|
||
| ## Open Questions | ||
|
|
||
kozross marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| The biggest open question is precisely _which_ scheme should be chosen for the | ||
| non-trivial effort involved in introducing it as a builtin. A whole | ||
| constellation of different solutions exist, and more are being worked on, | ||
| relying on different problems for their hardness, and with a whole range of | ||
| tradeoffs and implementations. It is quite likely that no single scheme will be | ||
| ideal relative all the criteria given in the Goals section, and some of these | ||
| criteria are quite speculative. It is likely that a non-trivial research effort | ||
| will be required prior to this choice being made, if only to present sufficient | ||
| evidence for the choice. | ||
|
|
||
| A related question to the above is whether it might be worthwhile to have | ||
| _multiple_ schemes available. Currently, there are builtins covering three | ||
| different pre-quantum schemes (although two are variants on the same curve), | ||
| which suggests that doing something similar for post-quantum signature | ||
| verification may be a good idea. This could help 'cover our bases' regarding | ||
| questions of performance and existing adoption, but would magnify all of the | ||
| effort involved in getting usable builtins, starting with the research step and | ||
| ending with costing and implementation. A related concern is that of educating | ||
kozross marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| dApp and script developers about the benefits, and drawbacks, of each scheme in | ||
| such a case, as these are not likely to be clear to someone who isn't a | ||
| cryptography expert. | ||
|
|
||
| [Earlier efforts][prior-attempt] at a CIP around this problem highlighted three | ||
| promising candidate algorithms: | ||
|
|
||
| * [ML-DSA][ml-dsa], also known as CRYSTALS-Dilithium | ||
| * [Falcon][falcon] | ||
| * [SLH-DSA][slh-dsa], also known as SPHINCS+ | ||
|
|
||
| The primary reason for these specific algorithms being highlighted is NIST | ||
| standardization. ML-DSA and SLH-DSA have both been standardized as [FIPS | ||
| 204][fips-204] and [FIPS 205][fips-205] respectively. Falcon is still in the | ||
| process of review, to potentially become [FIPS 206][fips-206]. This means that | ||
| these algorithms, and their reference implementations, have received significant | ||
| scrutiny, and are specified as a public document and a standard. One concern | ||
| raised by earlier efforts was that of signature sizes, with a described minimum | ||
| of [666 bytes for a signature][signature-sizes]. Furthermore, [early | ||
| benchmarks][early-benchmarks] demonstrated tension between verification key size | ||
| and performance. These may have changed in the interim. | ||
|
|
||
| Another recent possibility is [SQIsign][sqisign]. While still in the process of NIST | ||
| standardization, and still being worked on, SQIsign promises very small | ||
| signatures and keys by comparison to the three previous approaches. This could | ||
| be very advantageous onchain, where space limitations are significant. The | ||
| research step of any solution to this problem should at least consider the | ||
| possibility of using it. Its main downside (other than its lack of | ||
| standardization or 'stability') is that verification is relatively slow: | ||
| however, current work may change this. | ||
|
|
||
| This shows that these open questions aren't straightforward, and will require at | ||
| minimum a well-researched justification for the choice of any of them. | ||
|
|
||
| ## Copyright | ||
|
|
||
| This CPS is licensed under [Apache-2.0](http://www.apache.org/licenses/LICENSE-2.0). | ||
|
|
||
| [quantum-computing]: https://en.wikipedia.org/wiki/Quantum_computing | ||
| [shors-algorithm]: https://en.wikipedia.org/wiki/Shor%27s_algorithm | ||
| [post-quantum-cryptography]: https://en.wikipedia.org/wiki/Post-quantum_cryptography | ||
| [ethereum-top-priority]: https://thequantuminsider.com/2026/01/26/ethereum-foundation-elevates-post-quantum-security-to-top-strategic-priority/ | ||
| [algorand-steps]: https://thequantuminsider.com/2026/01/26/ethereum-foundation-elevates-post-quantum-security-to-top-strategic-priority/ | ||
| [cip-121]: https://github.com/cardano-foundation/CIPs/tree/master/CIP-0121 | ||
| [cip-122]: https://github.com/cardano-foundation/CIPs/tree/master/CIP-0122 | ||
| [cip-123]: https://github.com/cardano-foundation/CIPs/tree/master/CIP-0123 | ||
| [grumplestiltskin]: https://github.com/mlabs-haskell/grumplestiltskin/tree/milestone-2 | ||
| [plutus-sha512]: https://github.com/IntersectMBO/plutus/blob/master/plutus-benchmark/bitwise/src/PlutusBenchmark/SHA512.hs | ||
| [plutus-ed25519]: https://github.com/IntersectMBO/plutus/blob/master/plutus-benchmark/bitwise/src/PlutusBenchmark/Ed25519.hs | ||
| [2030-strategic-framework]: https://product.cardano.intersectmbo.org/vision/strategy-2030 | ||
| [prior-attempt]: https://github.com/cardano-foundation/CIPs/issues/413 | ||
| [ml-dsa]: https://www.pq-crystals.org/dilithium/index.shtml | ||
| [falcon]: https://falcon-sign.info/ | ||
| [slh-dsa]: https://sphincs.org/ | ||
| [fips-205]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf | ||
| [fips-204]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf | ||
| [fips-206]: https://www.digicert.com/blog/quantum-ready-fndsa-nears-draft-approval-from-nist | ||
| [signature-sizes]: https://sofiaceli.com/2022/07/05/pq-signatures.html | ||
| [early-benchmarks]: https://github.com/mgajda/CIPs/blob/michal/post-quantum-plutus/CIP-%3F%3F%3F%3F/README.md#plutus-api | ||
| [sqi-sign]: https://sqisign.org/ | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(other candidates welcome: here & at upcoming CIP meeting)
@kozross I'm hoping it's OK to drop the word
Digitalhere for the sake of generally required brevity because it's understood from the blockchain context (vs. "paper" signatures, "analog" signatures, etc.)... please correct me if wrong.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That seems fine to me. It's definitely clear from the context.