Syrga2: Post-Quantum Hash-Based Signature Scheme

: This paper proposes a new post-quantum signature scheme, Syrga2, based on hash functions. As known, existing post-quantum algorithms are classiﬁed based on their structures. The proposed Syrga2 scheme belongs to the class of multi-use signatures with state retention. A distinctive feature of state-retaining signatures is achieving a compromise between performance and signature size. This scheme enables the creation of a secure signature for r messages using a single pair of secret and public keys. The strength of signature algorithms based on hash functions depends on the properties of the hash function used in their structure. Additionally, for such algorithms, it is possible to specify the security level precisely. In the proposed scheme, the HBC-256 algorithm developed at the Institute of Information and Computational Technologies (IICT) is used as the hash function. The security of the HBC-256 algorithm has been thoroughly studied in other works by the authors. In contrast to the Syrga1 scheme presented in previous works by the authors, the Syrga2 scheme provides for the deﬁnition of different security levels determined by the parameter τ . This paper experimentally demonstrates the impossibility of breaking the proposed scheme using a chosen-plaintext attack. Additionally, the scheme’s performance is evaluated for signature creation, signing, and message veriﬁcation.


Introduction
Thanks to the continuous development of quantum computing, quantum communication, quantum cryptography, etc., quantum technologies have attracted the attention of the scientific and technical community in recent years and have become the subject of increased interest.Progress in research in the field of quantum technologies allows them to become more mature.While classical computers operate on binary codes, quantum computers use qubits to encode data.A qubit is a superposition of all intermediate states, allowing it to represent zero, one, or their linear combination.Thus, the application of quantum mechanics to computations allows a quantum computer to perform calculations much faster compared to a traditional computer.Quantum computers have high processing speed and the ability to solve specific tasks, which attracts the attention of many scientists and technical research organizations and contributes to their rapid development.In October 2019, Google announced the completion of a 53-qubit quantum computer.In November 2022, IBM announced the successful implementation of the Osprey quantum processor, capable of processing 433 qubits, and plans to release a processor with a memory volume of 4158 qubits in 2025 [1,2].
Quantum computers have brought about Shor's algorithm and Grover's algorithm, which impact the resilience of today's cryptographic algorithms.The most widely used asymmetric encryption algorithms like RSA, DSA, and others are becoming less secure and can be cracked in polynomial time, dependent on the size of the public key.This holds true for any asymmetric encryption algorithms whose security relies on the complexity of solving mathematical problems such as factoring numbers (decomposing a number into prime factors) and discrete logarithms in a finite field or on a set of points on an elliptic curve [3].In other words, all commonly used asymmetric encryption algorithms need to be replaced with algorithms whose security is based on the difficulty of solving other mathematical problems.For instance, RSA is a widely used public-key encryption system that underpins applications like web browsers and digital signature software [4].
Currently, there is a rivalry between quantum computing and classical cryptography.Classical cryptography safeguards the internet, blockchain ledgers, communication channels, and many other systems.Post-quantum cryptography aims to develop encryption algorithms resistant to attacks using algorithms on future quantum computers [5].
The fundamental differences between post-quantum cryptography methods and traditional ones lie in aspects such as mathematical foundations, resistance to attacks, key sizes, and performance, as well as their practical application.
In recent years, attacks on quantum key distribution (QKD) systems have been actively researched, and countermeasures have been proposed.Research results indicate that QKD systems have vulnerabilities not only in their protocols but also in other critical components of the systems [6,7].
The implications of the emergence of quantum computers for symmetric encryption algorithms and hash functions are not as critical.The cryptographic strength of any symmetric encryption algorithm and hash function when using a quantum computer is equivalent to the cryptographic strength of the same algorithm when using a classical computer, but with the encryption key or hash code length doubled [8].In other words, for symmetric encryption algorithms and hashing, one can simply double the length of the key or hash code to achieve the same cryptographic strength without changing the cryptographic algorithm.Increasing the length of the key or hash code will lead to increased encryption time.However, this is a natural progression: as computer performance and quantity grow, computational resources for attacks also increase.To defend against them, it is necessary to increase the size of the symmetric key or hash code.
In 2017, the National Institute of Standards and Technology (NIST) of the United States organized an open international competition for submissions and discussions on standardizing post-quantum cryptographic schemes.On 30 January 2019, NIST published a list of 26 candidate algorithms that had advanced to the second round of the competition.In July 2022, the third round of the NIST competition concluded, and the final list of algorithms for standardization in the United States was announced.Among the selected algorithms were the CRYSTALS-Dilithium, Falcon, SPHINCS+, digital signature schemes, and the CRYSTALS-Kyber key exchange scheme [9,10].
In July 2023, NIST published a list of digital signature schemes admitted to participating in the competition for an additional quantum-resistant standard.The list included 40 schemes out of 50 submitted ones, based on various synthesis principles, including lattice-based problems, coding, hash functions, and others.The main reason for conducting an additional round was the fact that the most efficient schemes-winners of the main stage (CRYSTALS-Dilithium, Falcon) are based on lattice-based problems, while the third finalist-SPHINCS-lags behind them in terms of performance.As of August 2023, several schemes from the new list have already demonstrated sufficiently effective attacks [11].
Hash-based cryptography creates signature algorithms whose security is mathematically based on the security of the chosen cryptographic hash function.For instance, SHA-2 is considered secure against attacks from the most powerful modern supercomputers and is also deemed quantum-safe.This implies that a hash-based signature algorithm using SHA-2 is essentially as secure as SHA-2 itself.Hash-based cryptography was initially developed by Lamport and Merkle in the late 1970s.Since the publication of the original Merkle scheme, hash-based algorithms have become more efficient [12].

A Brief Review of Existing Hash-Based Signature (HBS) Post-Quantum Signature Schemes
The concept of designing an electronic digital signature based on hash functions emerged in 1979 in the work of the American scientist Lamport [13].When creating a signature using a pseudo-random number generator (PRNG), 256 pairs of random 256-bit numbers (a i , b i ), i = 0, 255, are generated, which are considered the secret key of the system.By hashing the pairs of numbers (a i , b i ), corresponding pairs of public keys a i , b i , i = 0, 255, are created.In general, in this scheme, any cryptographically secure one-way function H can also be applied.
One of the well-known one-time signature schemes (OTS), used in many modern post-quantum signatures, is the Winternitz OTS (WOTS) scheme [14].In the construction of a signature in the WOTS scheme, a sequence of secret keys SK = (SK 0 , SK 1 , . . . ,SK m/w ) is first generated using a random number generator (RNG).Then, a sequence of public keys PK = (PK 0 , PK 1 , . . . ,PK m/w ) is generated using the hash function H applied 2 w − 1 times.
The WOTS scheme has several variations.One of them is the WOTS+ scheme, incorporated into the structure of the SPHINCS+ algorithm, which was presented in the NIST competition and selected after three rounds.The advantage of using a chain function in the WOTS+ scheme is that the high collision resistance of the hash function used in it is not a mandatory condition.
Nevertheless, since the mentioned schemes belong to the group of one-time signatures, it is necessary to carefully manage the keys when generating signatures for multiple messages.Therefore, in addition to them, schemes with few-time signatures (FTS) are also being developed.Among the most popular of these schemes is the HORS (Hash to Obtain Random Subset) scheme [15].
Several modifications of the HORS scheme have also been developed, such as HORSIC and HORSIC+.HORSIC employs a bijective function to transform all k parts into numerical values.Besides, a method for reducing the signature size is considered.In HORSIC+, the same chaining function as in the WOTS+ scheme is used to enhance security, but with the consideration of being resistant to chosen message attacks [16].
The drawback of the aforementioned schemes is that in some, a key cannot be used more than once, while in others, the level of security continues to decrease upon reusing the same key.To address these limitations, it is recommended to use a Merkle tree (binary hash tree).When constructing a binary tree, a single overall hash value, called the Merkle root, covering all data parts is computed.By using a single public key and a Merkle tree of height n, it is possible to create a common signature for 2 n messages [17].
Using the Merkle tree to manage keys of the WOTS+ scheme, a new scheme called XMSS (eXtended Merkle Signature Scheme) was created.In XMSS, the root of the Merkle tree is taken as the public key, and each leaf is the Merkle root from the set of WOTS+ public keys.Such a tree is also called an "L-tree".To sign a message M, a leaf of the tree that has not been used before is selected, and it uses secret keys to generate a WOTS+ signature.
In addition to the schemes mentioned above, there are several other ways to create HBS.Among them, it is worth noting the SPHINCS+ digital signature scheme, which was selected as a result of the NIST competition.In this scheme, there is also no need to track the state [18].One of the early versions of the SPHINCS+ algorithm, the SPHINCS algorithm, was developed using HORS-T and WOTS+ schemes, and to compute the root of the Merkle tree, keys need to be pre-generated.In the SPHINCS algorithm, by using a hypertree and a random string key address scheme, it was possible to manage multiple keys without computing all the leaves of the tree.
The SPHINCS+ algorithm, when signing a message, uses an enhanced version of HORS called the Forest of Random Subsets (FORS) scheme and a tunable hash function for security.In FORS, k binary trees of height n are considered.Since each tree contains t = 2 n secret keys, the total number of keys will be k × t.The roots of these trees are hashed together to form the FORS root.
In this section, brief descriptions of signature schemes Lamport, WOTS, WOTS+, HORS, and some others are provided.In general, algorithms based on post-quantum hash functions can be divided into two groups: stateful and stateless.Figure 1 shows schemes developed to date, grouped by structures. = 2 secret keys, the total number of keys will be  ×  .The roots of these trees are hashed together to form the FORS root.
In this section, brief descriptions of signature schemes Lamport, WOTS, WOTS+, HORS, and some others are provided.In general, algorithms based on post-quantum hash functions can be divided into two groups: stateful and stateless.Figure 1 shows schemes developed to date, grouped by structures.There is every reason to believe that hash-based cryptography will remain one of the priority directions in post-quantum cryptography.Algorithms in this field will rely solely on cryptographically secure hash functions for generating and verifying digital signatures.

Materials and Methods
Currently, there are several cryptographic signature schemes constructed based on hash functions.The security of such constructions cannot be proven based on any assumptions or properties of the considered hash function regarding collision resistance and message preimage recovery.However, it is not ruled out that some robust constructions may be less efficient than other approaches whose security has not yet been proven [19].
A balanced approach between strict security proof and complete lack of proof, which has proven successful in practice and passed experimental tests, is the adoption of an idealized model capable of demonstrating the security of cryptographic schemes.Among such approaches, the most popular is the random oracle model [20].
The random oracle model treats cryptographic hash functions as truly random functions.This model assumes the existence of a common random function H, which can only be defined by "queries" to the oracle, and can be viewed as a "black box" that, for each unique query x, provides a random response H(x) uniformly distributed from its output space.Additionally, if a query is repeated multiple times, the oracle always returns the same response.
To describe the formal model of security, let's introduce definitions and concepts related to digital signature schemes.Definition 1.A quantity given by a function () of some parameter , is called negligible if for all ∀ > 0, ∃ > 0: ∀ ≥  () <  .Definition 2. Let ℳ be the message space.A digital signature scheme  = ((), (), ()) consists of a triple of probabilistic polynomial-time algorithms:

•
The algorithm (1 ), given the security parameter 1 , outputs a signature key (private key) SK and a verification key (public key) ;

•
The algorithm (, ) outputs the signature  of the message  ∈ ℳ using the key ; There is every reason to believe that hash-based cryptography will remain one of the priority directions in post-quantum cryptography.Algorithms in this field will rely solely on cryptographically secure hash functions for generating and verifying digital signatures.

Materials and Methods
Currently, there are several cryptographic signature schemes constructed based on hash functions.The security of such constructions cannot be proven based on any assumptions or properties of the considered hash function regarding collision resistance and message preimage recovery.However, it is not ruled out that some robust constructions may be less efficient than other approaches whose security has not yet been proven [19].
A balanced approach between strict security proof and complete lack of proof, which has proven successful in practice and passed experimental tests, is the adoption of an idealized model capable of demonstrating the security of cryptographic schemes.Among such approaches, the most popular is the random oracle model [20].
The random oracle model treats cryptographic hash functions as truly random functions.This model assumes the existence of a common random function H, which can only be defined by "queries" to the oracle, and can be viewed as a "black box" that, for each unique query x, provides a random response H(x) uniformly distributed from its output space.Additionally, if a query is repeated multiple times, the oracle always returns the same response.
To describe the formal model of security, let's introduce definitions and concepts related to digital signature schemes.

•
The algorithm Kg(1 n ) , given the security parameter 1 n , outputs a signature key (private key) SK and a verification key (public key) PK;

•
The algorithm Sign(SK, M) outputs the signature σ of the message M ∈ M using the key SK; The security of a digital signature scheme means that an adversary cannot create a forgery even if they have access to signatures on many messages of their choice.Security is defined using the following experiment for an adversary A and a parameter n: Experiment with signature Sig UF−CMA A,Σ (n).

2.
Adversary A is given the public key PK and access to the oracle Sign(SK, M) for any message M of their choice.The adversary returns (M; σ).

3.
The result of the experiment is 1 if Vf(M; σ) = 1 for M / ∈ M , where M is the set of messages for which signatures were requested by A. Definition 3. A digital signature scheme Σ = (Kg(), Sign(), V f ()) possesses the property of existential unforgeability under an adaptive chosen-message attack (UF-CMA) if, for all polynomialtime probabilistic adversaries A, there exists a negligible function negl, such that: Let n ∈ N be the security parameter and let F n = f k : {0, 1} n → {0, 1} n k ∈ K be a family of functions.The elements of K a called key, and each key k defines a specific function f k in the family F n .
A function is pre-image resistant (or one-way) if it is easy to compute but hard to invert.The success probability of an adversary against the pre-image resistance of F n is given by: Definition 4. A family of functions F n is called pre-image resistant or one-way (OW) if, for all probabilistic polynomial-time adversaries A, there exists a negligible function negl, such that: Second-preimage resistance (HBS) refers to the difficulty of finding a second message with the same hash value for a given message with a known hash value, denoted as Sig SPR  A,Σ (n).
Definition 5. A family of functions F n is considered second-preimage resistant if the success probability of any polynomial-time adversary A is negligible: Regarding collisions in the context of hash function F, it refers to the situation where the hash values of two different inputs a and b are the same, i.e., F (a) = F (b) for a = b.Since the number of possible plaintexts is greater than the number of possible hash values, there are inevitably multiple preimages for some hash values.Hash functions for which finding collisions is a challenging task are called collision-resistant functions.Definition 6.A family of functions F n is considered collision-resistant if, for all polynomial-time adversaries A, there exists a negligible function negl, such that:

Description of the Post-Quantum Digital Signature Algorithm Syrga2
Increasing the number of qubits in quantum computing is an important area of research as it contributes to the development of more powerful quantum computers and opens up new possibilities for solving complex cryptographic problems that cannot be addressed by classical computers.Thus, post-quantum cryptography aims to create algorithms that can ensure security in a world with quantum computers, making it critically important for communication and data security.
The proposed algorithm Syrga2 in its structure and operation is similar to the postquantum digital signature algorithm Syrga1 and is considered its modified version [21].Syrga2 is a hash-based signature scheme, representing a stateful digital signature scheme.The preservation of the state is managed by a parameter or counter q, which is updated for each new signature created to prevent the reuse of the same key pair.The difference from Syrga1 lies in the method of forming a sequence of components of secret keys for signing a specific message.In Syrga2, there is no repetition of identical components of secret keys in the obtained sequence of values.The formed sequence, consisting of elements in a specific quantity, can be considered as a permutation or arrangement without repetitions in the sequence (set) of secret keys.The method of obtaining this sequence from non-repeating components of secret keys is presented below.
The scientific novelty of the proposed algorithm lies in the ability to obtain a set of intermediate secret keys by iteratively hashing the original set of secret keys r times.These intermediate keys enable the signing of r messages with one-time keys.An advantage of the algorithm is its relatively small signature size and implementation time, attributed to the absence of authentication paths characteristic of some algorithms using Merkle trees.Another feature of Syrga2 is the possibility to adjust the parameter τ to enhance its security level.The choice of τ is independent of the hash code length, allowing the use of any other hash function.
Like all other signature algorithms, the Syrga2 DSS Syrga−2 scheme consists of a trio of probabilistic polynomial-time algorithms: Kg Syrga2 () for key generation, Sign Syrga2 () for message signing, and Vf Syrga2 () for signature verification.In the DSS Syrga2 , M is regarded as the message space.

Key Generation Algorithm
The Kg Syrga2 (1 n ) algorithm, when given the security parameter 1 n , generates the private signing key SK and the public verification key PK.To generate SK, any pseudorandom number generator (PRG), denoted as G, can be used.G transforms random input of shorter length into longer n-bit pseudo-random output: G : {0, 1} * → {0, 1} t * n , where n, t ∈ N. The result of the function G is uniformly divided into t parts to define SK = (sk 0 , sk 1 , sk 2 , . . . ,sk t−1 ).To obtain the public key, a cryptographically secure hash function H 0 : {0, 1} n → {0, 1} n is utilized.The public key PK = pk 0 , pk 1 , pk 2 , . . ., pk t−1 of the DSS Syrga2 scheme is considered the result of r-fold hashing of SK, i.e., PK = H (r) 0 (sk i ), where i = 0, . . ., t − 1.For the Syrga2 scheme, security parameters and other initial parameters are defined as follows: n = 256, t = 256 and r = 1024.Consequently, the length of each sk i and pk i is 256 bits.
In the next step of key construction, a pair of secret and public keys for signing a specific message M q is defined, where 1 ≤ q ≤ t.It is noteworthy that the presented DSS Syrga2 scheme using the composed key pair KG : (SK; PK) allows for the one-time signing of r messages.Figure 2 illustrates how the secret keys generated by PRG after the qth hashing iteration produce intermediate secret keys SK q = sk (q) 0 , sk t−1 , where 1 ≤ q ≤ t (here, the index (q) implies the order of hashing).Thus, the pairs KG : SK q ; PK , formed with intermediate secret keys and common public keys, enable the signing of q messages.Since the intermediate keys SK q are used only once, the scheme ensures a high level of security.Below is the pseudocode (Algorithm 1) for the key generation algorithm described above.

Message Signing Algorithm
The Sign ( ,  , , ) algorithm takes as input the intermediate secret key  , the message to be signed  ∈ ℳ, where  is the number of elements in the permutation table , and the ordinal number  ∈ ℕ.The output is the signature  for the message  .The message signing process proceeds as follows.Let  be a given message, where  ∈ [1, 𝑟].Set ℎ =  and  = 0,  ∈  .Depending on the desired security level, the parameter  takes one of the following values: 32, 64, 128, 256.

Message Signing Algorithm
The Sign Syrga2 SK q , M q , τ, q algorithm takes as input the intermediate secret key SK q , the message to be signed M q ∈ M, where τ is the number of elements in the permutation table P, and the ordinal number q ∈ N. The output is the signature σ for the message M q .The message signing process proceeds as follows.Let M q be a given message, where q ∈ [1, r].Set h 0 = M q and ctr = 0, ctr ∈ Z. Depending on the desired security level, the parameter τ takes one of the following values: 32, 64, 128, 256.

Message Signature Verification Algorithm
The Vf Syrga2 (PK, Σ) algorithm verifies the authenticity of the message signature The algorithm assumes that the recipient has a set of public keys PK and is aware of the hashing algorithm H 1 : {0, 1} 256 → {0, 1} 256 .The Vf Syrga2 (PK, Σ) algorithm operates as follows: (1) Accept a signature Σ = M q , q, σ, τ and set the values h 0 = M q and ctr = 0, ctr ∈ Z.
Note: If in step (4) of the message signing algorithm and in step ( 5) of the message signature verification algorithm, after processing the data in the last cycle, s ≥ τ, then p τ and subsequent values in the P table are not considered.

Security Analysis of Syrga2
It is known that the signature σ 1 , σ 2 , . . ., σ τ is obtained from the hash values of the keys sk 1 , sk 2 , . . ., sk t .Since the Syrga2 scheme belongs to the class with state tracking (via the parameter q), the attacker cannot create a false signature.However, it is necessary to assess the security level of the Syrga2 scheme in case the user inadvertently reuses the parameter q multiple times.Let z denote the number of instances where the parameter q has been inadvertently reused, resulting in the attacker gaining knowledge of some key values.Theorem 1.Let F n = f k : {0, 1} n → {0, 1} n k ∈ K be a family of one-way functions resistant to second preimage attacks and undetectable, and H be a cryptographic hash function in the random oracle model.Then the insecurity of Syrga2 against UF-CMA attack is bounded by the probability: Proof of Theorem 1.The proof follows a similar approach to that of Theorem 1 presented in [16,22].Therefore, a full proof is not provided here; instead, only the proof idea is outlined.The proof relies on contradiction, assuming that the adversary A can forge a for Syrga2(1 n , t, τ), by mounting an attack based on a selected plaintext with success probability: The next step involves constructing an oracle machine M A , which breaks OW or SPR, using the adversary A's algorithm.The pseudocode description of the oracle machine M A is provided in Algorithm 4.
Nobody claims that a random oracle exists, although there have been conjectures that a random oracle could be implemented in practice using a trusted party.Rather, the random oracle model provides a formal methodology that can be used for the development and verification of cryptographic schemes using the following two-stage approach: − First, a scheme is developed and its security is proven in the random oracle model.
That is, we assume that there exists a random oracle in the world, and we build and analyze the cryptographic scheme within this model.Standard cryptographic assumptions that we have seen so far can also be used in proving security.− When we want to implement the scheme in the real world, the random oracle is unavailable.Instead, the random oracle is created using an appropriately designed cryptographic hash function Ĥ.That is, at each point where the scheme dictates that a party should request the value of H(x), from the oracle, the party instead computes Ĥ(x) itself.

Algorithm 4: M A
Input: Security parameter n, q, τ, M q , one-way challenge y c and second preimage resistance challenge x c Output: A value x that is either a preimage y c or a second preimage of x c under H 1 or "Fail" 1: Generate Syrga2 key pair: (SK, PK) = KgSyrga2() 2: Choose α $ ← {1, . . . ,τ} and β $ ← {1, . . . ,q} uniformly at random 3: Choose γ $ ← {β + 1, . . ., q − 1} uniformly at random 4: Obtain PK by setting (y c ) 5: Run A Sign(SK,•) PK 6: if A Sign(SK,•) PK queries Sign with M q then (6a) Generate P = (p 0 , p 1 , p 2 , . . . ,p τ−1 ), (y c ) then return the second preimage x 8: In any other case return "Fail" idea of Algorithm 4 is as follows.First, a key pair (SK, PK) of the Syrga2 scheme is generated, and then challenges are introduced for one-wayness (OW) at position β and for second preimage resistance (SPR) at position γ based on index α, resulting in the computation of PK .Subsequently, the modified public key PK is forwarded to A. The adversary can request the signature of a message M. If the computed value p ∝ during the evaluation of M satisfies the condition p ∝ < β, then signature generation is unsuccessful, and the algorithm terminates.Otherwise, using the modified public key PK , a signature σ is computed and passed to A. Consequently, a forged pair ( M , σ ). is created.If this forged signature σ is valid for signing M , it confirms the existence of a solution to one of the issues related to σ .Otherwise, M A returns "Fail", indicating the failure to find a preimage and collision.
Using the assumptions of one-wayness and second preimage resistance of F n , it is possible to estimate the success probability of A, when M A is invoked:

Security Level and Performance Evaluation of the Scheme
Since no cryptographic system is immune to all attacks, it is proposed to assess its security level.This is a challenging task, and one common subjective approach for such assessment is using the concept of "bit security"-b.The assessment of security bits takes into account all known general attacks on the mathematical problem and cryptographic scheme [23].Bit security bridges asymptotic and concrete modes of evaluating the security of cryptographic schemes.Whereas the asymptotic approach does not provide any guidance on concrete parameter selection, bit security helps us choose an appropriate set of parameters to guarantee a certain level of security when deploying cryptographic schemes [24].The objectivity of assessing the security level of a scheme largely depends on the fundamental building blocks and primitives of the scheme itself.It is considered that a cryptographic system has a security level of b if it can be expected that approximately O(2 b ) operations will be required for a successful attack on it [25].
Given Theorem 1, it is possible to compute the security level of Syrga2.This allows for comparing its security with that of other post-quantum digital signature schemes.
So, for a security level of b, we obtain: Table 1 displays the security level of Syrga2 for different values of the parameter τ alongside other post-quantum signature schemes, and includes the calculation formula.Figure 4 showcases the security level of Syrga2 for various τ options.
In Figure 4, the dynamics of the security level b are illustrated as a function of the parameter z.It has been experimentally determined that as z increases, in all considered instances of τ (τ = 32, 64, 96, 128), the security of the scheme decreases.
The number of keys that became known to the adversary due to the reuse of the parameter q is denoted as z.However, it is worth noting that even with the maximum value of z, when z = τ, the scheme still provides the required level of security.
Table A1 in Appendix A presents the input parameters, including the parameter z, which ranges from 16 to 32 with a step of 4, along with their corresponding security level values.The parameter z characterizes the number of compromised secret keys when the same q is reused erroneously.The value of the parameter q cannot exceed the value of the τ, i.e., the number of intermediate secret keys selected for signing the message τ, i.e., the number of intermediate secret keys selected for signing the message M.
Table 1.Security level of some post-quantum signature schemes.Table 1.Security level of some post-quantum signature schemes.The number of keys that became known to the adversary due to the reuse of the parameter q is denoted as z.However, it is worth noting that even with the maximum value of z, when  = , the scheme still provides the required level of security.

Schemes
Table A1 in Appendix A presents the input parameters, including the parameter , which ranges from 16 to 32 with a step of 4, along with their corresponding security level values.The parameter  characterizes the number of compromised secret keys when the same  is reused erroneously.The value of the parameter  cannot exceed the value of the parameter , i.e., the number of intermediate secret keys selected for signing the message , i.e., the number of intermediate secret keys selected for signing the message M.

Performance Evaluation of Syrga2
In this subsection, the efficiency of Syrga2 is analyzed using the HBC-256 and HAS01 hash functions developed at the IICT [26][27][28].Software was implemented in the C++

Performance Evaluation of Syrga2
In this subsection, the efficiency of Syrga2 is analyzed using the HBC-256 and HAS01 hash functions developed at the IICT [26][27][28].Software was implemented in the C++ programming language using the Microsoft Visual Studio integrated development environment for an objective performance evaluation.The characteristics of the PC used for the study are as follows: operating system-Windows 10 Pro (version 22H2), system type-64-bit operating system, processor-Intel(R) Core(TM) i5-7500T CPU @ 2.70 GHz, RAM-8.00GB.
The results of the program's operation with various input parameters are presented in Tables 2 and 3.The size of the original file for signing is 30 bytes.The file was chosen to be small because the main goal of the research was to test the operation of the post-quantum algorithm for signature generation and verification.It is important to note the generation of the P-box separately.The P-box is dynamically generated in the program based on the hash values of the message M. Using the obtained values of the P-box and the private keys, a signature is formed.Analysis of the values obtained in Tables 2 and 3 shows that the execution time of the Kg Syrga2 () algorithm remains the same for different values of the parameter τ, as it does not affect the key generation process.The formation of the permutation table P-box actually takes very little time, which is reflected in the tables using the comparison sign "<".It is also worth noting that the total execution times of the Sign Syrga2 () and Vf Syrga2 () algorithms in Tables 2 and 3 are approximately the same.For example, when τ = 128, the total time is 2350 + 0.01 = 2350.01ms in Table 2 and 1177 + 1203 = 2380 ms in Table 3.Thus, it can be concluded that the overall execution time of the entire hashing process is practically independent of the value of q from which the hashing continues.
Table 4 presents a comparative analysis of the SYRGA2 scheme with other algorithms in terms of performance, key length, and signature length.For SYRGA2, parameters that showed the longest time were selected, i.e., q = 512 and τ = 128.As seen in Table 4, the most time-consuming part of the SYRGA2 algorithm is key generation, which takes about 5 s, while the other procedures collectively take about one second.Although this is slower than some of the algorithms listed in Table 4, it should be noted that the 5 s spent (to obtain a single public key) allows for the creation of a secure signature for at least 1024 messages.
If we compare SYRGA2 with SPHINCS-256 and HORS, they show better results in time parameters, but the key size is larger than that of SYRGA2.XMSS (SHA2-256), when compared with the proposed scheme, shows worse results in time parameters, but the key size is smaller than that of SYRGA2.All this depends on the individual structure of the considered schemes, the cryptographic parameters used in it, the performed optimization operations, as well as the computing resources of the computer.
One of the most promising directions in post-quantum cryptography is cryptographic systems for digital signatures based on hash functions.The resilience of hash functions less affected by the advent of quantum computers.For example, the complexity of solving the hash function collision search problem remains within safe limits today even when the length of the hash function value is increased by one and a half times.
The proposed post-quantum digital signature scheme Syrga2 includes the HBC-256 hashing algorithm developed by the same authors.The security of Syrga2 is based on the resilience of HBC-256, where it manipulates the parameter k-the number of parts from 3 to 8 of the data to be hashed and an additional function ComF, which determines the length of the hash value.The maximum length of the hash value in HBC-256 can reach 1024 bits.Therefore, to find a collision in hash values of length 1024 bits using the "Birthday Paradox" method with a probability of 0.5, 0.83•2 512 messages would be required, which is not feasible for existing quantum computers.

Future Work
At this stage of the research, the main focus was on the development of a new digital signature scheme and ensuring its security.Therefore, special attention was given to verifying the correct functioning of the developed scheme with the capability for stepby-step monitoring of this process.Future work will involve selecting the optimal value of the parameter q, which significantly impacts the efficiency and performance of the scheme.Emphasis will be placed on optimizing the software code using cryptographic libraries.Performance evaluation will be carried out using the universal metric "cycles per byte" (CPB), which is applicable to cryptographic schemes.Furthermore, hardware implementation of the scheme is planned for the future.All these efforts require a significant amount of work for the practical application of the developed scheme.The results obtained will be reflected in the authors' articles, which are planned to be published shortly.

Conclusions
Post-quantum cryptography is currently in the phase of active research and standardization and is already beginning to be implemented in real applications, even though many algorithms have not yet undergone standardization and testing procedures.Therefore, the scale of implementation of the proposed scheme will be determined based on its reliability in practice.
The main feature of the proposed Syrga2 scheme is that a single key pair {SK, PK} can be used to sign multiple messages.The potential number of messages is determined by the parameter q, while the security level of the scheme remains unaffected.Since the proposed scheme is stateful, it is important to control this parameter.The article demonstrates how erroneously reusing the value of q affects the security level.In the Syrga2 scheme, the size of the signature is determined by the parameter τ and takes values of 32, 64, 96, and 128.As shown in Table 3, if signing speed is important to users, it is preferable to choose smaller values of τ, whereas if security is more important, larger values of τ should be chosen.The algorithms for hashing HAS01 and HBC-256, developed at IICT, were used in calculating the signature generation speed and all other measurements.The reliability of these hashing algorithms is presented in other works by the authors. of post-quantum cryptography algorithms based on hash functions" at the Institute of Information and Computational Technologies.

Figure 2 .
Figure 2. Scheme for constructing the signature private key  and the verification public key .

Figure 2 .
Figure 2. Scheme for constructing the signature private key SK and the verification public key PK.

Figure 3 .
Figure 3. Generating the signature σ for the message M q .

Figure 4 .
Figure 4. Security level of Syrga2 for various values of .

Figure 4 .
Figure 4. Security level of Syrga2 for various values of τ.

Table 4 .
A comparative summary of the hash-based signature scheme.