Hybrid Post-Quantum Cryptography Implementation Status

[apierr]

📋 Project Goal

Enable Hyperledger Fabric to create and verify signatures using a hybrid cryptographic scheme combining:

• Classical: ECDSA (Elliptic Curve Digital Signature Algorithm)
• Post-Quantum: Dilithium or Falcon (NIST PQC standards)

This allows measuring performance impact of PQC on blockchain transactions.

---

✅ What Has Been Completed

1. Infrastructure Setup

A. HYBRID BCCSP Provider (bccsp/hybrid/hybrid.go)

• Status: ✅ Complete stub implementation
• What it does:
  • Implements all 10 methods required by Fabric's BCCSP interface
  • Currently delegates all operations to SW provider (ECDSA)
  • Serves as foundation for future PQC integration
• Key methods:

  KeyGen()    // Generate cryptographic keys
  Sign()      // Sign message digests
  Verify()    // Verify signatures
  Hash()      // Hash operations
  Encrypt()   // Encryption (delegated)
  Decrypt()   // Decryption (delegated)

B. HYBRID Factory (docker/compose/hybridfactory.go)

• Status: ✅ Implemented
• What it does:
  • Registers HYBRID as a valid BCCSP provider type
  • Follows Fabric's factory pattern (similar to SWFactory)
  • Initializes keystores and creates HYBRID BCCSP instances

C. Factory System Integration

• Status: ✅ Integrated
• Modified file: bccsp/factory/nopkcs11.go (during Docker build)
• Changes:

  // In initFactories()
  case "HYBRID":
    f := &HYBRIDFactory{}
    defaultBCCSP, err = initBCCSP(f, config)
  
  // In GetBCCSPFromOpts()
  case "HYBRID":
    f = &HYBRIDFactory{}

D. Custom Peer Docker Image

• Status: ✅ Built successfully
• Image: custom-fabric-peer:2.5
• Build process:
  1. Clone Fabric 2.5 sources
  2. Inject HYBRID provider code
  3. Modify factory system with sed
  4. Compile peer binary
  5. Package in runtime image
• Size: ~2.5GB (includes build environment)

E. Docker Compose Configuration

• Status: ✅ Configured and tested
• File: docker/compose/fabric-baseline-hybrid.yaml
• Key settings:

  environment:
    - CORE_PEER_BCCSP_DEFAULT=HYBRID
    - FABRIC_LOGGING_SPEC=INFO:bccsp=DEBUG

• Validation: Peer starts successfully with log: default: HYBRID

---

⏳ What Remains To Be Done

Phase 1: Post-Quantum Algorithm Integration (2-3 days)

A. Add liboqs Library

# Add dependency in go.mod
go get github.com/open-quantum-safe/liboqs-go/oqs

B. Implement PQC Key Generation

File: bccsp/hybrid/hybrid.go

import "github.com/open-quantum-safe/liboqs-go/oqs"

type HybridBCCSP struct {
    sw  bccsp.BCCSP
    pqc *oqs.Signature  // Add PQC signer
}

func (h *HybridBCCSP) KeyGen(opts bccsp.KeyGenOpts) (bccsp.Key, error) {
    // 1. Generate ECDSA key (existing)
    ecdsaKey, err := h.sw.KeyGen(opts)
    
    // 2. Generate Dilithium key (NEW)
    h.pqc.Init("Dilithium3", nil)
    pqcPublic := h.pqc.GenerateKeypair()
    
    // 3. Wrap both keys in HybridKey struct
    return &HybridKey{ecdsa: ecdsaKey, pqc: pqcPublic}, nil
}

C. Implement Hybrid Signing

func (h *HybridBCCSP) Sign(k bccsp.Key, digest []byte, opts bccsp.SignerOpts) ([]byte, error) {
    // 1. Sign with ECDSA
    ecdsaSig, err := h.sw.Sign(k.ECDSAKey(), digest, opts)
    
    // 2. Sign with Dilithium
    pqcSig, err := h.pqc.Sign(digest)
    
    // 3. Combine signatures
    hybridSig := CombineSignatures(ecdsaSig, pqcSig)
    
    return hybridSig, nil
}

Signature format (example):

[4 bytes: ECDSA length] [ECDSA signature] [PQC signature]

D. Implement Hybrid Verification

func (h *HybridBCCSP) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (bool, error) {
    // 1. Parse combined signature
    ecdsaSig, pqcSig := ParseHybridSignature(signature)
    
    // 2. Verify ECDSA
    validECDSA, _ := h.sw.Verify(k.ECDSAKey(), ecdsaSig, digest, opts)
    
    // 3. Verify PQC
    validPQC := h.pqc.Verify(digest, pqcSig, k.PQCKey())
    
    // 4. Both must be valid
    return validECDSA && validPQC, nil
}

---

Phase 2: Key Management (1-2 days)

A. Extend MSP Certificate Structure

Problem: Current MSP certificates contain only ECDSA keys

Solution:

Current MSP:
  msp/
    keystore/
      priv_sk  ← ECDSA private key

Hybrid MSP:
  msp/
    keystore/
      ecdsa_priv_sk     ← ECDSA key
      dilithium_priv_sk ← PQC key
    signcerts/
      cert.pem          ← Contains both public keys

B. Modify Certificate Generation

File: docker/compose/generate-hybrid-certs.sh (to create)

#!/bin/bash
# Generate ECDSA key (existing)
cryptogen generate --config=crypto-config.yaml

# Generate Dilithium keys (NEW)
for org in org1 orderer; do
  liboqs-keygen --alg Dilithium3 \
    --out configs/${org}/msp/keystore/dilithium_priv_sk
done

C. Custom Key Type

// bccsp/hybrid/keys.go
type HybridKey struct {
    ecdsaKey bccsp.Key
    pqcPubKey []byte
    pqcPrivKey []byte
}

func (k *HybridKey) Bytes() []byte {
    // Serialize both keys
}

func (k *HybridKey) SKI() []byte {
    // Combined Subject Key Identifier
}

---

Phase 3: Protocol Integration (3-5 days)

A. Transaction Signature Updates

Files to modify:

• core/endorser/endorser.go - Endorsement signatures
• core/committer/txvalidator/validator.go - Signature verification

Changes:

// Before: Single ECDSA signature
signature := signer.Sign(proposal)

// After: Hybrid signature (transparent)
signature := hybridSigner.Sign(proposal)  // Returns combined sig

B. Block Signature Updates

File: orderer/common/blockcutter/blockcutter.go

// Ensure block metadata includes hybrid signatures
block.Metadata.Signatures = hybridSignatures

C. Configuration Updates

File: core/ledger/kvledger/txmgmt/validation/validator.go

// Add hybrid signature validation logic
func (v *Validator) ValidateAndPrepareBatch(...) {
    for _, tx := range block.Transactions {
        // Validate hybrid signature
        valid := hybridBCCSP.Verify(tx.Signature, tx.Payload)
    }
}

---

Phase 4: Testing & Validation (2-3 days)

A. Unit Tests

// bccsp/hybrid/hybrid_test.go
func TestHybridSign(t *testing.T) {
    hybrid := NewHybridBCCSP(...)
    key, _ := hybrid.KeyGen(...)
    
    sig, err := hybrid.Sign(key, digest, nil)
    assert.NoError(t, err)
    assert.True(t, len(sig) > 70) // ECDSA (~70) + Dilithium (~2420)
}

func TestHybridVerify(t *testing.T) {
    // Test signature verification
}

B. Integration Tests

# Test end-to-end transaction flow
cd tests/integration
./test_hybrid_transaction.sh

Test scenarios:

1. Create channel with hybrid signatures
2. Deploy chaincode with hybrid endorsement
3. Invoke transaction and verify hybrid signatures in block
4. Query ledger and validate all signatures

C. Performance Benchmarking

# Run Caliper benchmark comparing:
# 1. ECDSA baseline
# 2. HYBRID (ECDSA + Dilithium)
# 3. PQC-only (future)

cd simulations
./benchmark_hybrid.sh

Metrics to collect:

• Transaction latency (ms)
• Throughput (tx/sec)
• Signature size (bytes)
• CPU usage (%)
• Memory consumption (MB)

---

📊 Implementation Timeline

Phase	Task	Estimated Time	Complexity
1A	Add liboqs dependency	2 hours	Low
1B	Implement PQC KeyGen	4 hours	Medium
1C	Implement hybrid Sign	6 hours	Medium
1D	Implement hybrid Verify	4 hours	Medium
2A	Extend MSP structure	4 hours	Medium
2B	Modify cert generation	6 hours	High
2C	Create HybridKey type	3 hours	Low
3A	Update transaction flow	8 hours	High
3B	Update block signatures	4 hours	Medium
3C	Update validation logic	6 hours	High
4A	Write unit tests	6 hours	Medium
4B	Integration tests	8 hours	High
4C	Performance benchmarks	6 hours	Medium
	TOTAL	67 hours (~8-10 days)

---

🎯 Current System Capability

What Works Now

✅ Peer starts with HYBRID provider
✅ Provider is registered in factory system
✅ All BCCSP methods are implemented (delegating to ECDSA)
✅ Docker build system is operational
✅ Network configuration is correct

What Doesn't Work Yet

❌ No actual PQC signatures (still using ECDSA only)
❌ No Dilithium/Falcon key generation
❌ No hybrid signature format defined
❌ Certificates contain only ECDSA keys
❌ No performance benchmarks available

---

🚀 Next Immediate Step

Start with Phase 1A: Integrate liboqs library

# 1. Update bccsp/hybrid/hybrid.go to import liboqs
# 2. Update Dockerfile to install liboqs system library
# 3. Test basic Dilithium key generation
# 4. Implement hybrid Sign() method
# 5. Test with simple unit test

Expected outcome: Peer can generate and verify hybrid signatures locally, ready for full protocol integration.

---

📚 References

• liboqs-go documentation
• NIST PQC Standards
• Fabric BCCSP Architecture
• Dilithium Specification

---

Document Version: 1.0
Last Updated: December 27, 2024
Status: Infrastructure Complete, PQC Integration Pending