On the Role of Hash-based Signatures in Quantum-Safe Internet of Things: Current Solutions and Future Directions

Sabah Suhail, Rasheed Hussain, Abid Khan, and Choong Seon Hong S. Suhail and C. S. Hong are with Department of Computer Science and Engineering, Kyung Hee University, South Korea (e-mail:sabah,[email protected]).R. Hussain is with Networks and Blockchain Lab, Innopolis University, Russia (e-mail:[email protected]).A. Khan is with Department of Computer Science, Aberystwyth University, United Kingdom (email: [email protected]).

Abstract

The Internet of Things (IoT) is gaining ground as a pervasive presence around us by enabling miniaturized “things” with computation and communication capabilities to collect, process, analyze, and interpret information. Consequently, trustworthy data act as fuel for applications that rely on the data generated by these things, for critical decision-making processes, data debugging, risk assessment, forensic analysis, and performance tuning. Currently, secure and reliable data communication in IoT is based on public-key cryptosystems such as Elliptic Curve Cryptosystem (ECC). Nevertheless, reliance on the security of de-facto cryptographic primitives is at risk of being broken by the impending quantum computers. Therefore, the transition from classical primitives to quantum-safe primitives is indispensable to ensure the overall security of data en route. In this paper, we investigate applications of one of the post-quantum signatures called Hash-Based Signature (HBS) schemes for the security of IoT devices in the quantum era. We give a succinct overview of the evolution of HBS schemes with emphasis on their construction parameters and associated strengths and weaknesses. Then, we outline the striking features of HBS schemes and their significance for the IoT security in the quantum era. We investigate the optimal selection of HBS in the IoT networks with respect to their performance-constrained requirements, resource-constrained nature, and design optimization objectives. In addition to ongoing standardization efforts, we also highlight current and future research and deployment challenges along with possible solutions. Finally, we outline the essential measures and recommendations that must be adopted by the IoT ecosystem while preparing for the quantum world.

Index Terms:

Blockchain, Hash-based signature, Internet of Things, Public-key cryptography, Quantum computing.

I Introduction

The proliferation of cost-effective miniaturized devices with computation and communication capabilities is providing promising solutions to enhance the quality of life and style in a plethora of ubiquitous application areas including, but not limited to, smart cities, meteorology, health-care systems, smart grid, industrial automation, and precision agriculture. These devices with the afore-mentioned capabilities, together constitute the Internet of Things (IoT) [1]. Regardless of such comforts, the revolutionary IoT technology is vulnerable to security glitches that arise due to the interconnection of unattended and globally accessible things with the untrusted and unreliable Internet. Loopholes in the system infrastructure lure adversaries to launch different attacks; for example, data forging, Sybil attacks, false data injection, replay attacks, and denial of participation. Such attacks will have catastrophic consequences for the high-assurance applications that are involved in crucial decision-making processes based on aggregated sensor data (such as health-care, industrial, and financial applications) [2, 3]. Thus, to provide data authenticity and protection against data forgery, potential countermeasures for IoT security are essential elements for ensuring authentic and trustworthy data acquisition and data communication.

TABLE I: Acronyms and their explanation.

Acronym	Explanation	Acronym	Explanation
IoT	Internet of Things	HBS	Hash-Based Signature
OTS	One-time Signature	WOTS	Winternitz OTS
WOTS^PRF	WOTS (Pseudo Random Function)	MTS	Multi-time Signature
MSS	Merkle Signature Scheme	XMSS	Extended MSS
HS	Hierarchical Signature	LMS	Leighton Micali Scheme
XMSS-T	XMSS with tightened security	XMSS^MT	XMSS (Multi Tree)
FTS	Few-Time Signature	HORS	Hash to Obtain Random Subset
PORS	PRNG to Obtain Random Subset	HORS-T	HORS (with Tree)
DLT	Distributed Ledger Technology	IIoT	Industrial IoT
PQC	Post Quantum Cryptography	PRNG	Pseudo-Random Number Generator
QRNG	Quantum Random Number Generation	QKD	Quantum Key Distribution

Security protocols usually rely on the cornerstone applications of digital signatures for authentication, integrity, and non-repudiation. For instance, code signing of devices for software and firmware to ensure legitimate updates or upgrades in software suites or patches, Distributed Ledger Technology (DLT) to ensure valid cryptocurrency transactions, Vehicular Ad hoc NETwork (VANET) to ensure trustworthy message communication among vehicles or road-side units, and medical implantable and wearable sensors for data integrity, use digital signatures.

In these real-world scenarios, the most widely used cryptographic schemes for digital signatures are RSA [4], Digital Signature Algorithm (DSA) [5], and Elliptic Curve Digital Signature Algorithm (ECDSA) [6]. Security of these classical cryptographic primitives relies on the hardness of factoring integers and computing discrete logarithms [7]. However, it is expected that with the not-so-far arrival of quantum computers, these computational problems will be susceptible to quantum computer cryptanalysis using Shor’s quantum algorithm [8] and variational quantum factoring [9] and therefore, can be solved by quantum computers in polynomial time. Doubling the key length increases the difficulty; however, this is not enough for a sustainable edge. Furthermore, Grover’s algorithm [10] can allow brute-force attacks to address the effect of quantum computing on symmetric cryptography.

In the interim, security mechanisms of digital signatures not only coerce the need for rigorous scrutiny to thwart both classical and post-quantum attacks but also call for state-of-the-art security solutions for resource-constrained and performance-constrained IoT devices to continue utilizing the IoT-based services in the quantum world. Therefore, the inexorable march of quantum hype entails dependable quantum-safe digital signature schemes. In this regard, Hash-Based Signature (HBS) schemes [11] are promising candidates, offering security proofs relative to plausible properties of the hash, and the object of leading-edge standardization efforts.

TABLE II: Existing surveys and articles.

Year	Paper	Topic(s) of the article/survey	Related content in our paper	Enhancements in our paper
2015	[12]	Further advantages of hash-based signatures, Obstacles to Widespread Use, Bridging the Gap	Section V-A, Section V-B1	Coverage of technical, non-technical, and social challenges along with possible solutions to the respective problems in case of both stateful and stateless HBS schemes from IoT design and implementation perspective; Current state-of-the-art standardization efforts and industrial scale implementation efforts.
2016	[11]	Stateful Hash-Based Signature Schemes One-time, State Synchronization Security Risks, Overhead for hash-based signatures	Section II-B, Section V-B1	Overview of stateful and stateless HBS along with detailed taxonomy; In-depth discussion on technical and non-technical challenges particularly in the context of IoT.
2017	[13]	Hash-Based Signature Basics, Challenges and trade-offs	Section II-B, Section III, Section V-A, Section V-B1	Overview of stateful and stateless HBS along with detailed taxonomy; Up-to-date standardization efforts; Coverage of HBS features from the perspective of IoT domain.
2017	[7]	Ongoing projects and developments	Section V-A	Up-to-date standardization efforts including the state-of-the-art industrial-scale efforts.
2018	[14]	Hash-based signatures, Challenges	Section V-A, Section V-B1	Up-to-date standardization efforts; Detailed technical and non-technical challenges.

I-A Existing Literature

To date, not many surveys have been conducted that investigate various aspects of Post Quantum Cryptography (PQC). To the best of our knowledge, most of the existing surveys and articles focus on various sparse aspects of post-quantum digital signature schemes such as providing only a panoramic view of schemes, covering only technical details without connecting them with any application domain, schemes (excluding HBS) in combination with IoT, presenting HBS signatures basics without further exploring their association to any domain, and hence are indirectly related to the HBS-driven IoT. By narrowing down our survey to HBS schemes featuring IoT applications and focusing on more high-level issues, we present a holistic approach towards HBS in combination with IoT.

Starting with the most relevant paper, in [14], the authors investigate the role of HBS schemes with a focus on underlying challenges in the IoT domain. Similarly, in [13], the authors provide an overview of post-quantum signature schemes with an emphasis on the basic structure of HBS schemes along with a few example schemes from each category (i.e., stateless and stateful), features, and standardization. [12] lays out the obstacles to the widespread use of HBS in general. Besides, the authors discuss the efforts needed by the cryptographic research community to focus on the significance of standardization and integration in commonly used cryptographic software libraries and security protocols to support the broad adoption of HBS in the real world. On the other hand, some works mostly cover the technical aspects (optimizing schemes through construction parameters, mathematical analysis, and performance evaluation through implementation on IoT platforms) of HBS schemes. These works include [11] (discusses the problem of state management and provides possible solutions to solve it), [15] (discusses optimization of stateless HBS schemes), and [16, 17, 18] (implement and evaluate proposed schemes on IoT devices), to name a few. Lastly, the focal point of the existing articles includes other classes of post-quantum signature schemes in the view of the IoT domain. For example, [19] discuss the role of PQC in IoT and associated open challenges. [7] focuses on lattice-based and multivariate polynomial-based algorithms for constrained devices and networks. Similarly, [20] emphasize the suitability of lattice-based cryptography by securing the communication between IoT and edge devices. Table II presents a summary of these surveys and their differences with our survey.

I-B Scope of This Survey

In this paper, we present a comprehensive and systematic review of state-of-the-art technical, non-technical, and social issues that arise due to the integration of IoT in HBS schemes. The main contributions of our paper are summarized as follows.

•

Starting from the potential grounds for the transition to post-quantum signature schemes, we discuss the key questions to elaborate the reasoning behind this transition and further actions. Then, we provide a high-level working of the family of HBS schemes categorized as stateless, stateful, and hybrid based on key generation, signature generation, and other construction parameters. Along with the evolution of HBS schemes, we also highlight the strength and weaknesses of the respective schemes.
•

We focus on the features of HBS schemes and their significance for securing the application-dependent and platform-dependent IoT.
•

With reference to IoT-driven use-cases, we present various elemental factors that must be considered while introducing HBS schemes in the IoT ecosystem.
•

In addition to the on-going standardization efforts and state-of-the-art industrial efforts, we provide an in-depth review of various research challenges such as technical, non-technical, and social challenges. We also map such requirements from IoT perspectives, highlight the open-ended challenges that need to be addressed by the research community, and finally outline recommendations to prepare and act strategically while moving towards the quantum era.

The rest of the paper is organized as follows: Table I lists all the acronyms used in the paper. Section II covers HBS schemes by including a quick high-level overview of the different types of stateful and stateless HBS schemes. The peculiar features of HBS schemes and their significance for the IoT domain are outlined in Section III. Considering the constraints of IoT devices, the usage of HBS in the IoT environment is presented in Section IV. Section V describes the technical, non-technical, and social challenges and requirements of HBS schemes. Finally, Section VI concludes the paper.

Refer to caption — Figure 1: Taxonomy of hash-based signature schemes.

II Transition from Traditional Digital Signatures to Hash-Based Signatures

Starting with the limitations of traditional digital signature schemes due to looming threats by quantum computing to traditional cryptographic solutions, in this section, we present the potential reasons for the transition to quantum-secure schemes. Then, we discuss quantum-safe security solutions as HBS schemes. We provide a quick overview of the evolution of HBS schemes to address the problems of key generation, signature generation, signature verification, etc.

TABLE III: Examples of widely deployed cryptographic systems for 128-bit pre-quantum security level.

Class

Public-key Cryptography

Symmetric Cryptography

Cryptographic primitives

Integer factorization

Discrete logarithm

Elliptic curves

Cryptosystems

RSA

DSA

Elgamal

ECDH

ECDSA

AES

SHA-256 (pre-image security)

Post-quantum security level

(broken by algorithm)

Shor

Grover

II-A Limitations of Classical Digital Signature Schemes

The end of traditional cryptosystems is marked by the Shor’s and Grover’s algorithms. On one hand, the Shor’s algorithm solves the underlying mathematical problems of public-key algorithms (as mentioned in Table III) whereas, on the other hand, Grover’s algorithm can reduce the effective security strength of algorithms (such as the Advanced Encryption Standard (AES) [21] and 3-DES (Triple Data Encryption Standard) [22]) to roughly half for a given key length, thereby rendering infrastructures secured by them vulnerable to exploitation [23].

With the proliferation of quantum computing technologies, the epoch-making incident of the end of the currently used classical digital signature scheme in the foreseeable future raises the following concerning questions. The first question is that despite conjectured security of the underlying cryptographic mechanisms, why the traditional signature schemes are unable to withstand the quantum computers? Crudely put, the exponential speed-up brought about by quantum computer stems from the fact that it acts as a massively parallel computer which is made possible by quantum mechanics called superposition (i.e., the ability for a quantum bit (qubit) to be both a one and a zero at the same time). Thus, proper implementation of superposition state in a quantum computer can provide exponential computing power which may break all existing schemes.

The second question is, what will happen if all the current cryptographic security solutions suddenly become ineffective? The failure of classical cryptosystems may have a devastating effect on the systems and may lead to the destruction of the security fabric that connects much of the omnipresent IoT world today and in the near future. Thus, in addition to other domains, the IoT applications that rely on pivotal features of existing digital signatures, principles of data integrity, message authentication, and non-repudiation, are going to have profound aftermath on sensory data in terms of security and privacy.

The third question is when such a dilemma is going to happen? According to the experts at the University of Waterloo, there is a 1-in-7 chance of these cryptographic primitives being affected by quantum attacks in 2026, and a 1-in-2 chance by 2031 [24].

Finally, the fourth question is, what to do now? To provide security to IoT applications, quantum-safe schemes are explored by academia and industry. The post-quantum signature schemes can be classified into five categories as i) Hash-based ii) Lattice-based iii) Multivariate polynomial based iv) Code-based, and v) Super-singular isogeny based schemes. Among these quantum-secure signature schemes, we opted for HBS schemes because they are well-studied schemes with minimal security requirements, practiced, reasonably fast, yield small size signatures, and have strong security guarantees, to name a few. The afore-mentioned discussion calls for the transition to quantum-secure algorithms to ensure adequate cryptographic protections in the hyper-connected IoT world. In the following, we dive a bit deeper into the stateless and stateful HBS schemes.

II-B HBS Schemes: From Stateful to Stateless

The design principle of HBS is to leverage an underlying cryptographic secure hash function that exhibits any of the security property including one-wayness, pre-image resistance, second-preimage resistance, and collusion resistance. Based on the implementation approach, HBS schemes can be classified as stateless and stateful schemes which can be further categorized as One-Time Signature (OTS), Few-Time Signature (FTS), Multi-Time Signature (MTS), and Hierarchical Signature (HS), depending on key generation, signature generation, and other construction parameters. Fig. 1 represents the detailed classification of stateful and stateless HBS schemes. In the following, we further elaborate on these categories.

II-C Stateful HBS Schemes

A stateful digital signature scheme necessitates the maintenance of the updated non-repeated secret key upon each signature generation process. It is essential to keep track of non-repeated key pairs, failing which will result in the degradation of the security of the cryptographic scheme. Different categories of stateful schemes are given as follows:

II-C1 Stateful One-time Signature Schemes (OTS)

Among the stateful signature schemes, OTS schemes form a fundamental building block for HBS. Common examples of seminal OTS are Lamport-Diffie scheme [25], Winternitz scheme [26], and its variants WOTS⁺ [27], WOTS^PRF. To sign a message with OTS schemes, the private key is uniformly generated at random, whereas the public key is derived as a function of the private key, involving the underlying hash function.

Lamport-Diffie scheme provides very strong security on minimal assumptions; however, it has some major downsides which prevented its wide adoption. Firstly, it is one-time, making it in-apposite for the majority of use cases of digital signatures. Secondly, the keys and the signatures are extremely large (as shown in Table IV). The deterring issue of extremely large key length and signature size in the Lamport-Diffie scheme is resolved through WOTS by introducing a Winternitz parameter that controls time/memory trade-off. Therefore, reducing the space required for keys and signatures makes WOTS a good choice for memory-constrained embedded devices (and hence IoT), but at the cost of slower signing and verifying process. Overall, OTS schemes are single-use in nature (i.e., can only sign a pre-defined number of messages with a key pair, which introduce a key renewal overhead) and therefore inadequate to use in real-world applications. This is because using the same key multiple times may enable an attacker to reveal more parts of the private key, and hence compromise the security of the underlying scheme.

II-C2 Stateful Multi-time Signature Schemes (MTS)

To untangle the peculiarity of the one-time nature of OTS schemes, MTS schemes are proposed to construct many-time signatures by using OTS as an under-structure. In [30], Ralph Merkle proposed Merkle Signature Scheme (MSS) to generate multiple aggregated public and private keys by combining a large number of OTS key pairs into a single binary hash tree structure (as shown in Fig. 2). To authenticate the relation of a one-time public key with the global public key (also referred to as tree root), signatures keep on appending a sequence of intermediate tree nodes, called authentication paths (as shown in Fig. 2). Such paths allow the validator to reconstruct the path from the relevant one-time public key to the tree’s root upon signature verification. To enhance the efficacy and practicability of MSS, the following optimization strategies are adopted based on different flavors of Merkle tree construction, leaves calculation, and parameter specifications. Firstly, the global private key can be efficiently constructed by using a cryptographically secure Pseudo-Random Number Generator (PRNG) such that from an initial seed value (which acts as a private key), both successive seeds and one-time secret keys are derived. Thus, in lieu of storing all OTS secret keys, it is sufficient to store only the seed value of the PRNG, while generating other seed values on-the-fly. It ultimately minimizes storage requirements. Such a strategy for global private key construction also provides forward secrecy and existential unforgeability under adaptive chosen message attack [31]. Nevertheless, it necessitates precise counter management for tracking the used keys, particularly across multiple invocations of signing algorithm, because using any one-time private key twice is imperative to security. Secondly, the performance-optimized BDS algorithm [32] is used for efficient computation of authentication path such that it caches the authentication path from the previous signature, thus, instigate time/memory trade-off. To this end, concrete examples of M-time signature schemes are Extended Merkle Signature Scheme (XMSS) [33], [34], and [35].

II-C3 Stateful Hierarchical Signature Schemes (HS)

Although the use of the optimized BDS algorithm provides sufficient performance during the signature generation of XMSS implementation, it is still relatively slower in generating a new key pair due to the requirement of constructing the entire hash tree [31]. Hence, to further improve performance, HS schemes are proposed. In essence, HS schemes are MTS schemes that use other hash-based signatures in its construction. The idea of HS is based on the formation of a hyper-tree that involves tree chaining by using multiple layers of MSS tree. In this form of Merkle tree construction, the upper layers are used to sign the roots of the layers below while only the lowest layer is used to sign messages. Notable examples of HS are XMSS-Multi Tree (XMSS^MT) [36], XMSS with tightened security (XMSS-T) [37], and Leighton Micali Scheme (LMS) [34]. XMSS^MT is particularly ideal for applications that require virtually a large number of messages to be signed. Note that, XMSS^MT should be used in conjunction with other optimization strategies, including the BDS algorithm, PRNG, and caching of the authentication paths, otherwise the required storage and the long time for random number generation outweigh the performance gain of XMSS^MT. Additionally, the LMS has two variants, i.e., Leighton Micali one-time signature (LM-OTS) and the many-time signature scheme LMS [38].

II-D Stateless HBS Schemes

Keeping track of the last used OTS key pair is considered to be one of the major downsides of stateful schemes. To address this intriguing problem, stateless schemes are introduced. A stateless digital signature scheme eliminates the need for maintaining the updated non-repeated secret key upon each signature generation process. Because unlike OTS schemes (WOTS or its variants), stateless HBS schemes use few-time signature schemes, for instance, Hash to Obtain Random Subset/PRNG to Obtain Random Subset (HORS/PORS) [39] and HORS with Tree (HORS-T) [40].

II-D1 Stateless Hierarchical Signature Schemes (HS)

Some of the examples of the stateless HS scheme are SPHINCS [40] and its variants SPHINCS-Simpira [41], Gravity-SPHINCS [15], and SPHINCS⁺ [42]. Similar to XMSS^MT, SPHINCS uses a hypertree such that the upper layers use XMSS with WOTS⁺ to sign roots of their ancestors, while the lowest layer uses a Merkle tree construction with HORS-T for signing messages(as shown in Fig. 3). Since the stateless schemes do not keep a record of used key pairs, hence to ensure the correct few-time usage of key pairs, SPHINCS deploys multiple HORS-T key pairs and selects a random one for each signature generation. As a result, no path-state tracking is required.

Generating all HORS-T and WOTS⁺ private keys with a PRNG for key generation and computing one tree in each layer for signature generation results in the feasible computation for SPHINCS. Nevertheless, stateless schemes pose the following performance issues. Firstly, the signature generation is more expensive because the key pairs are used in random order rather than successive order; hence, the optimization algorithm BDS is no longer suitable. Secondly, in contrast to WOTS⁺, HORS-T signatures are relatively much larger. We summarize the stateless and stateful class of HBS schemes along with their signature size, key length, and other relevant details in Table IV and Table V.

TABLE IV: OTS/FTS schemes for 384-bit message length and 128-bit (approximately) post-quantum security level.

Scheme	Type	Signature size (KB)	Key size (KB)
Lamport-Diffie	OTS	18.4	36.9
WOTS	OTS	4.8	4.8
WOTS^PRF	OTS	3.2	3.2
WOTS⁺	OTS	3.2	3.7
HORS/PORS	FTS	1.2	3.1 MB
HORS-T	FTS	17.3	0.05

TABLE V: Stateful and Stateless hash-based signature schemes:a comparative summary

Scheme	Instantiation	Message length	Type	Base scheme	Key-reuse capacity	Signature size (KB)	Key size (KB)
MSS	SHA-384	384-bit	Stateful	WOTS	$2^{60}$	7.7	0.05
XMSS	SHA-256	256-bit	Stateful	WOTS^PRF	$2^{60}$	4.7	0.03
XMSS^MT	AES-128	256-bit	Stateful	WOTS^PRF	$2^{80}$	10.5	private key = 26.1, public key = 1.8
SHPINCS	SHA-256	512-bit	Stateless	HORS-T; WOTS⁺	Unlimited	41.0	1.0
G-SPHINCS	Haraka	512-bit	Stateless	PORS; WOTS	Unlimited	30.0	private key = 0.06, public key = 0.03
SPHINCS-S	Simpira	512-bit	Stateless	HORS-T; WOTS⁺	Unlimited	41.0	1.0

III Features of HBS Schemes and Their Significance in The IoT Environment

Several arguments underpinning the use of HBS schemes in the IoT ecosystem include quantum-resistance, minimal security assumptions, function agnostic, forward-secure construction, and extensive tunable parameters. In this section, we elaborate on the features of HBS schemes by associating their felicitous illustrations for the IoT environment. The striking features of HBS schemes are summarized in Fig. 4.

Traditional signature schemes generally require consideration of number-theoretic hardness assumptions (such as composite integer factorization and discrete logarithm problem) in addition to the security of hash functions. On the contrary, HBS schemes solely rely on the underlying secure cryptographic hash function, thereby pruning the attack surface and reducing the opportunities for cryptanalysis. For instance, a secure implementation of XMSS exclusively depends on a secure cryptographic hash function that is either second preimage resistant or pseudorandom to be secure. Thus, the idea of minimal security assumption in HBS effectively reduces the complexity of implementation by eliminating the reliance on multiple security components. Hence, it streamlines the deployment among diverse implementations (such as massively heterogeneous applications seem good candidates) and devices (such as resource-constrained IoT devices) [33].

HBS schemes are function-agnostic, i.e., they can be built on top of any hash function that satisfies the security requirements of cryptographic hash functions. Such inherent flexibility of HBS allows the selection of different underlying hash functions to meet the desired performance requirements depending on the application-specific environment. The function-agnostic and quantum-resistant nature of HBS schemes make them future-proof such that the underlying hash functions can be simply substituted (in terms of implementation) in case of vulnerabilities with any of the specific hash function over time. For instance, to handle a multi-target attack, the researchers shift to collision-resilient signature schemes as collision resistance is subject to birthday attacks in comparison to preimage and second-preimage resistance [43].

The feature of future-proofness manifests long-term security of lifetime devices. One aspect of such scenarios is the hardware protection of multitude field-deployed devices in massive IoT. For example, the deployment of new sensor motes in industrial automation, agriculture precision, environment monitoring, and other mission-critical applications are deleterious, costly, and time-consuming task; therefore, the hardware longevity must be considered to address future threats. Another aspect is high assurances of digitally-signed firmware to prevent adversaries from stealing the signing credentials of long-running devices. Another example includes mission-critical devices that require data trustworthiness, especially for applications that perceive the value of sensor data for decision-making processes, risk assessment, and performance evaluation [44]. Under both aspects, long-term security offered by the PQC in the form of hash-based signatures must be adopted to ensure trustworthy and healthy data in the quantum IoT.

In order to enforce security in constrained environments, the HBS allows an adaptable selection of parameters to enable trade-offs between signing speed and key size rather than using dedicated schemes. For instance, the key configuration involving underlying lightweight hash function and design optimization are suggested in [18] for resource-constrained IoT.

Through PRNG, HBS supports forward-secure construction which implies that an attacker cannot subsume any information about previously used signature keys upon getting hold of the current private key. Forward-secrecy plays a consequential role in situations where devices can be tampered, compromised, or even stolen such as remote areas or outdoor device settings [14].

TABLE VI: Pros and Cons: Stateless vs. Stateful hash-based signature schemes.

Type	Pros	Cons	Use case
Stateful	• Shorter signature size • Faster signature generation time	• State synchronization problem (synchronization failure) • Face cloning problem (volatile and non-volatile)	Performance-constrained environment
Stateless	• No state synchronization problem • No cloning problem	• Longer signature size • Slower signature generation time	Resource-constrained environment

IV Introducing Hash-Based Signatures in the IoT Ecosystem

Improving data integrity of IoT devices against large-scale quantum computers stems from multiple factors, for instance, careful selection of HBS grounds for the underlying application requirements, device constraints, and design optimization criterion. In this section, we highlight why quantum technologies matter in critical infrastructure and IoT. Furthermore, we discuss various factors while choosing the apt HBS from the get-go to avoid the digital transformation pitfalls of cutting-edge technologies.

IV-A Stateless or Stateful?: Adoption of Apropos HBS Schemes

The first factor is the adoption of apropos HBS for IoT devices. Before going into further details, the crux of stateless or stateful HBS is as under. The concept of statefulness arises from the use of one-time signature key pairs. As the robustness and security of HBS schemes depend completely on the use of non-repeated one-time key pairs; tracking the utilization of one-time key pairs is of paramount importance. To do so, one-time signing keys are used by following a sequential order such that an index or counter is stored in the global secret key to infer which one-time key pairs can still be utilized for signing purposes. In addition to the index, HBS schemes also include an authentication path that denotes a sequence of intermediate nodes required to reconstruct the path to the root node to validate a one-time public key against the global public key. In particular, different approaches consider different elements, for example, nodes for the next authentication path or pre-computed nodes as part of storing state data. For storing the state information, the size requirement depends on the tree structure, for instance, a 4-byte and 8-byte value is sufficient for XMSS and XMSS^MT, respectively. Thus, maintaining state information including the authentication path and the key index along with each signature equalizes the signing time. Nevertheless, it requires to store updated state information depending on the used parameters and implementation choices.

On the other hand, stateless HBS schemes do not require to maintain the use of non-repeated key pairs; however, their signature sizes are significantly higher (as shown in Table V) making them impractical in some scenarios. Thus, the optimal selection of a stateful or stateless scheme for embedded systems primarily depends on the time-memory trade-off. For instance, stateful schemes exploit memory to store state information and have better run-time, hence, are well-tailored for performance-oriented systems while stateless schemes exploit processing power and have better memory utilization, hence, are well-suited for memory-constrained systems. It can be concluded that the stateful versions of HBS schemes offer better performance than the stateless versions, but require careful implementation to thwart an attacker to exploit the vulnerabilities related to state management. Summarized comparison of the pros and cons of both schemes is presented in Table VI.

For a given IoT system, the optimal selection of a stateless or stateful HBS scheme must be carefully weighted based on the fact that whether the system is performance-constrained (processing time, computational complexity) or resource-constrained (energy usage, memory consumption). For instance, consider a nuclear reactor (as shown in Fig. 5 (right-most)) where sensors (for instance, temperature, flow, pressure or level) are deployed in order to monitor (heating system, water pressure, or water level). The sensors’ readings are notified to a control room that is accountable for making critical decisions (to turn on/off any valve or to adjust any values) based on the sensors readings. Under such a performance-constrained environment, the integrity and authenticity of data must be verified efficiently because operations such as parameter tuning, data debugging, and aging management rely on data-driven decisions. Similarly, Fig. 5 (middle) illustrates an example of Industry 4.0 that exhibits a synergy between industry and IoT. The example shows a smart factory where fog-enabled Unmanned Aerial Vehicles (UAVs) can be used to gather the tasks from the sensor, compute the tasks, and deliver the processed results to the control unit. Under the resource-constrained Industrial Internet of Things (IIoT), the tasks are offloaded to UAVs to conserve sensor energy. Following a better approach, stateful schemes are suitable candidates for the former case while stateless schemes are apt for the latter case.

A setting under which both resource-constrained and performance-critical IoT systems are desirable, a reasonable compromise between stateful and stateless schemes is the hybrid approach. For instance, in [11], the authors proposed a hybrid method by combining the stateless signature scheme such as HORS-T and the stateful signature schemes (e.g., XMSS and LMS) at the root level and the lower levels, respectively (as shown in Fig. 6). Such strategy overcomes downsides while merging the benefits of both stateful and stateless HBS schemes.

IV-B Implications of Quantum Computing on DLT

The second factor covers the imminent prodigious threats to the applications of DLT by quantum computers. DLT despite being a quintessence solution of the Internet of Everything (IoE), one of the main challenges is the reliability of the data generated by things. DLT can ensure the immutability of data in the ledger, nevertheless when the data generated by IoT devices is dubious or malicious due to the physical environment, participants, vandalism, and the failure of the devices, then its further propagation through the ledger stays corrupted. Furthermore, the analysis and interpretation based on such abnormal data produce catastrophic results, especially for applications relying on data for critical decision-making processes, risk assessment, and performance evaluation [45]. The corrupted devices either face physical damage or limit the firmware updates to refrain them from actuating over possible bugs or security breaches. One such solution to ensure the trustworthiness of data by the device in question is to keep track of data lineage through data provenance [45].

In the IoT ecosystem, blockchain is another ahead of the curve DLT solution that has powered resource-consuming devices to participate in Machine-to-Machine (M2M) or Machine-to-Human (M2H) economy autonomously, for instance, to support and accelerate the distributed energy in a microgrid or electric vehicle charging (as shown in (Fig. 5 (left-most)). Currently, most of the blockchain-based solutions heavily rely on conventional cryptographic standards to support the immutability and transparency of data. However, ledgers that are not quantum-resistant could pose long-tail data risk. High-powered quantum computers can jeopardize M2M or M2H world by potentially enabling attackers with quantum computers to monopolize the network by sabotaging transactions and preventing their own transactions from being recorded or double-spend [46]. To prepare for the quantum apocalypse, blockchain-enabled schemes that already support post-quantum techniques are Quantum Resistant Ledger (QRL) [47] (using XMSS), IOTA [48] (using WOTS), and Corda (using BPQS: a single-chain variant of XMSS).

IV-C Optimal Design Objectives

The third factor is the optimized design objectives for IoT devices. In particular, function independence characteristic of HBS schemes make them a suitable candidate for ultra-constrained IoT settings, for instance, the latency-area optimized design approach proposed in [18]. Similarly, other design trade-offs for IoT devices include a lightweight hash function for energy-efficient computation of signature/verification operations. For instance, in [18], the authors implement and perform explicit area and latency analysis of four hash candidates including SHAKE-256, SHA-256, S-quark, and Keccak-400. Considering energy budget constraints, Keccak-400 is selected.

To meet the design objectives of resource-constrained IoT nodes, in addition to smaller parameters and light-weight hash function, appropriate algorithms based on the design specification of motes are needed. Such co-design principles based on hardware and software provide a trade-off between area overhead and hardware penalizing. For example, [18] proposed a scheme in which WOTS⁺ operations are defined at the hardware level due to a significant amount of repetitive hash computations and to yield smaller footprints while XMSS operations and WOTS⁺ parametrization control are defined at the software level to preserve latency gains.

Another design aspect essential to all HBS is the generation of either hardware-based or software-based random numbers. Keeping in view that the sources of external entropy are limited for critical IoT deployments in the isolated environment, hardware-based random numbers are preferred (for instance, Quantum Random Number Generation (QRNG) [49] chip). QRNG is a physically and provably secure source of randomness in contrast to PRNG that requires monitoring to maintain sufficient randomness for business protection as adversaries commit additional resources to find patterns in PRNG implementations.

IV-D Potential Attacks on HBS

The fourth factor is handling of the attack surface even in the presence of quantum-resilient signature schemes, for example, evaluating the HBS in the presence of physical (or implementation) attacks, i.e., side-channel attacks and fault attacks. In a differential side-channel attack, the attacker gains extra information by eavesdropping on a side channel, for instance, power-monitoring, electromagnetic leaks, or processing timing during the computation of the signature. Whereas in a fault attack, a fault, which can be either natural or malicious, is misbehavior of a device that causes the computation to deviate from its specification. The goal of the attacker is to exploit such information to gain access to the secret. HBS schemes are vulnerable to hardware fault attacks both in the presence of natural and malicious faults. To address fault-attack resistance, in [50], the authors present an implementation approach to make stateless hash-based constructions more reliable against natural faults and malicious faults. Similarly, in [31], the authors discuss implementation recommendations for XMSS to resist implementation attacks (for example, selection of side-channel resistant PRNG, computation of optimized authentication path, and strategy for caching of signatures). In addition, the proposed scheme can be tailored based on the reliability objectives and available resources [7].

IV-E Benchmark: Software and Hardware

The fifth factor is the benchmark for evaluating the performance of HBS. From the software benchmark perspective, the run-time of key generation, signing, and verification processes whereas from the hardware perspective, CPU cycles, key size, signature size, and energy consumption are among the targeted evaluation metrics. In general, the parameter sets are highly dependent on the underlying construction of a particular scheme. For software benchmarking, frameworks such as System for Unified Performance Evaluation Related to Cryptographic Operations and Primitives (SUPERCOP) and ECRYPT Benchmarking of Cryptographic Systems (EBACS) are commonly used for the evaluation of the software performance. For hardware benchmarking, Application-Specific Integrated Circuit (ASIC), Field-Programmable Gate Arrays (FPGA), or other micro-architectures can be configured and programmed accordingly. Also, architecture-specific optimizations such as Advanced Encryption Standard New Instructions (AESNI) or Advanced Vector Extensions 2 (AVX2) instructions are used to make it implementable on the available micro-architecture [42].

IV-F Trust Chain: Combining HBS and Provenance

The sixth factor involves the combination of HBS schemes and data provenance that epitomizes the importance of trustworthy data. On one hand, HBS ensures the accuracy, fidelity, availability, and confidence of data, whereas on the other hand data provenance identifies the sources behind stale, latent, and tardy data. Therefore, such combination can solve the problems related to erroneous or faulty data thereby enhancing the quality of data. Another instructive use case of such a scenario is the supply chain where data integrity and provenance supplement each other to solve the traceability problems, counterfeit concerns, and data accessibility issues in the supply chain space [44].

IV-G Establishing End-to-End Security

The seventh factor is to establish horizontal end-to-end security. A reliable infrastructure is a must to boost the end-to-end ecosystem’s security especially in the presence of a diverse range of cybersecurity threats (such as data breaches, (D)DoS attacks, and so on) and continuously increasing demands of efficient communication requirements (such as ultra-reliability, low-latency). Though 5G promises to solve most of the communication requirements for many versatile applications, for example, tactile Internet, massive IoT, autonomous vehicles, and many more. However, the inherent security flaws still need more attention, for instance, location tracking, activity profiling, etc. Similarly, some other quantum-linked features such as quantum-safe communication, quantum Internet, and Quantum Key Distribution (QKD) also require a due attention to deftly integrating quantum computing in the fabric of 5G and beyond.

Hence, application-specific and platform-dependent trade-offs must be considered with regards to signing speed, signature size, a desired number of signatures, memory constraints, processing limits, light-weight underlying hash functions, and hardware support for particular hash functions.

IV-H Current Industry-scale Implementation Efforts

Albeit with a restricted number of qubits, quantum computers already exist though luckily for today’s security cannot run Shor’s algorithm. For example, a Canadian company, D-Wave Systems was the earliest to market and has already launched its 2000Q System quantum computer [51]. IBM Q Quantum Computation Center is an industry-first initiative to build commercial universal quantum systems for business and science applications [52]. Furthermore, Google claimed to have achieved the quantum supremacy by introducing a superconducting quantum processor called Sycamore [53]. According to their benchmark task, Sycamore outperforms (took 200 seconds) state-of-the-art supercomputers that would require approximately 10,000 years to perform a random sampling task. To continue the benchmark progress, IBM upends Google’s claim and experimentally proved that the same task can be performed on a classical system in 2.5 days by incorporating other conventional optimization techniques to improve performance [54]. In addition to these, other companies participating in the race of developing quantum computers include Intel, Microsoft, IonQ, to name a few. Such back-to-back research efforts by tech-giants herald a degree of technical maturity towards a quantum leap which ultimately opens new frontiers for quantum computing in the IoT world.

V Standardization Efforts and Future Research Challenges of HBS Schemes in the IoT

In this section, we highlight the standardization efforts carried out for HBS schemes and future research challenges.

V-A Standardization Efforts

The efforts to solicit and evaluate quantum-resistant public-key cryptographic algorithms for an inevitable transition to post-quantum cryptography are underway by many standardization organizations. For instance, the National Security Agency (NSA) plans to shift from the Suite B set of cryptographic algorithms towards post-quantum cryptography [55]. Furthermore, workshops and calls for proposals are initiated by the US National Institute of Standards and Technology (NIST) [56] in the Post-Quantum Cryptography Standardization project (evaluation of Round 2 candidate algorithms in the process [57]) and European Telecommunications Standards Institute (ETSI) [58] in Quantum-Safe Cryptography (QSC) [59] project to indicate the increasing necessity of switching to post-quantum cryptography. Regarding the specification of HBS, Internet Engineering Task Force (IETF) is targeting both XMSS and LMS for standardization [60, 61]. Other ongoing projects and developments to promote research on post-quantum cryptosystems by European Commission include PQCRYPTO [62] (conducting research on post-quantum cryptography for small devices, the Internet, and the cloud), SAFEcrypto [63] (focuses on secure post-quantum cryptographic solutions to preserve the privacy of government data, and protection of data in communication systems) [7]. Similarly, the CryptoMathCREST [64] research project is supported by the Japan Science and Technology Agency to study the mathematical problems underlying the security of PQC.

V-B Future Research Challenges

In the quest to secure IoT in the quantum era, following technical, non-technical, and social challenges of HBS schemes call for further investigation. We also outline the key recommendations necessary to act and prepare for the quantum era. Fig. 7 presents the detailed taxonomy of the current and future research and deployment challenges for HBS-driven IoT and we summarize the challenges along with causes and possible solutions in Table LABEL:tab:technical_non-technical.

V-B1 Technical Challenges

Here we discuss technical challenges related to IoT devices with reference to quantum computing.

a) State Management: In the stateful signing algorithms schemes, state management is one of the challenging snags to the widespread use of HBS schemes. In this problem, the version of the private key in non-volatile memory (disk) must be continuously synchronized with that in volatile memory (RAM) to avoid key synchronization failure. Crash of an application or an operating system, corruption of the nonvolatile state, power outage, or a software bug could be among the potential causes of synchronization failure [11]. The delay caused by the synchronization of the private key between the storage unit and execution unit results in additional latency for the signature generation time, thus highly deteriorating the overall performance of the system.

b) Cloning: Another problem in the stateful signature scheme is cloning. Such type of risk occurs when a private key is copied and then used without coordination with execution units (known as non-volatile cloning) or without coordination with storage units (known as volatile cloning). Live Virtual Machine (VM) cloning or restoration of a key file to a previous state from a backup system could potentially cause volatile or non-volatile cloning. The cloning problem results in the generation of multiple signatures from the same system state, thus crucially undermining security. For instance, in case of live VM cloning, values that may only be used once, are at risk, including initialization vectors, pseudorandom numbers, counters for encryption, one-time passwords, and seeds for digital signatures [65]. Similarly, initial sequence numbers could be reused for hijacking in the case of the S/Key (a one-time password system) and the TCP protocol [11]. Issues with such primitives can be problematic even for classical digital signature schemes. To summarize, nonvolatile cloning may not cause any issue to a system devoted only to the signature generation; however, it can cause significant risk to the general-purpose software system. On the other hand, volatile cloning leads to catastrophic results particularly due to the vulnerabilities pertaining to caching of random numbers. Therefore, tailored to specific use-cases, the state management strategies must be gauged in a nuanced way. For instance, resource-constrained sensor nodes piggyback on UAVs for computation and processing of tasks (as shown in Fig. 5 (middle)). In this scenario, the issues of state management (either key synchronization or cloning risk), may cause problems including (i) performance issues at delivering results to control unit, (ii) energy issues at UAVs, and (iii) data integrity risks at the control unit.

Though stateless signing algorithms solve the state and key synchronization concerns; however, signature size is still a problem. To resolve the issues of stateless and stateful schemes, a hybrid approach discerns the essential worth with smaller signatures and faster signing deserves further exploration. Other possible solutions suggested in [11] include state reservation strategy and hierarchical signature schemes. Simply put, in a state reservation approach, the private key that is ahead of the current signature among the available $N$ signatures is written back into storage, thereby avoiding the need to write the updated private key into nonvolatile storage. In the case of a hierarchical signature scheme, a volatile bottom level enforces the reservation property such that the private key of the volatile level is not synchronized in nonvolatile storage. Such combined volatile/nonvolatile hierarchical signature scheme property avoids synchronization problems and is considered a reasonable model for problems related to writing operation scenarios such as power outage or crash of an application. However, both of these solutions do not address the nonvolatile cloning problem.

c) Specification of Parameters: Another issue is that the universal specification of a parameter set highly depending on the intended use-cases. Since constraints on performance aspects such as signing speed and key size are highly dependent on underlying use-cases, therefore, it is hard to define one universal parameter set for every scenario. For example, software update authentication does not entail high-frequency signing, however, the converse is true for Hypertext Transfer Protocol (HTTP) over Transport Layer Security (TLS). Another example is the individual user’s email signing that does not require frequent signing though, however, keeping in view the usability considerations, the priority is given to the signature size to limit message expansion [13].

HBS schemes need to offer concrete parameter choices to provide user guidance while considering constraints on performance aspects such as signing speed and key size. For concrete instantiations, proper guidance (rules and regulations with concrete steps) should be included in standards. In this regard, [66, 60] suggest concrete parameter sets and discuss the crucial element of security levels for the proposed parameter sets, however, unable to address their adequacy tailored to specific applications. Thus, the use of underlying hash function, state management strategies and other construction parameters must be evaluated in a nuanced way depending on the intended use-case as also discussed in subsection IV-A and IV-C. Though the recommended parameters should be provided by the cryptographic community; however, customizing signing speed, key size, and other construction parameters depending on the application scenario is a crucial asset.

d) Trade-off Between Excessive Data and Performance: Depending on the application and underlying infrastructure, a network of things may have a dynamic and rapidly changing dataflow and workflow where data inputs are provided from a variety of sources such as sensors, external databases or clouds, and other external subsystems. As the generation of vast amounts of data over time renders IoT systems as potential big data generators, in this regard, how can we ensure the speed and performance of underlying HBS schemes? One potential solution is to adopt hybrid HBS schemes to enable a trade-off between performance-constrained and resource-constrained environment. Besides, more efficient algorithms may open the way to application in the diverse and constrained reality of the vast majority of IoT devices.

V-B2 Non-Technical Challenges

Bringing quantum computing could enable advances in many futuristic technologies; however, it requires consideration of many significant factors. Here, we discuss non-technical challenges related to IoT devices with reference to quantum computing.

a) Business and Economic Setbacks: As the age of quantum computing is gradually dawning, it seems that new hardware systems are among constantly increasing requirements. Therefore, the question, how IoT devices can adapt to quantum computing with their current embedded hardware (such as crypto-processors) that is generally optimized to carry out certain cryptographic operations?, must be answered. However, the implications of such demands are likely to face huge business and economic setbacks in terms of expenditures on new or upgraded IoT infrastructures to handle the increased workload. Thus, bringing in new hardware may be too expensive for cost-sensitive large-scale applications that are usually looking forward to cost-effective solutions by drastically reducing capital expenditure (CapEX) and operational expenditure (OpEX).

b) Entanglement in Legacy Systems, Existing Applications, Standards, and Protocols: In addition to the aforementioned demand for new hardware systems, one of the substantial concern is how to retrofit legacy systems with advanced security solutions? Because shifting to novel quantum-based infrastructure for IoT demands fragile engineering environment, for example, temperature constraints for operating quantum infrastructure, the limited range for terrestrial quantum communication networks, the staggering cost of various hardware for carrying out QKD, budget funding, and other obstacles that may limit the usability of quantum-based systems at the moment.

Similarly, another question is how existing applications and protocols can adapt to quantum computing with their current standards? One solution is to modify the existing protocols to handle larger signature or key size by segmenting the data into multiple massages for bandwidth-constrained applications (e.g., self-driving cars). However, the status quo will change as new applications and protocols must set their standards keeping in mind the demands of quantum schemes. Existing protocols might need to be modified to handle larger signatures or key size, for example, through the segmentation of messages. Also, protocol designers should be aware that changes in the underlying cryptography may certainly be necessary for the future, either due to quantum computing or other unforeseen advances in cryptanalysis. For new applications, implementations must keep the demands of PQC in mind and allow the new schemes to adapt to them as PQC requirements might shape future application standards.

c) Heterogeneity in Terms of Application and System: Another unique characteristic of IoT devices is heterogeneity. On one hand, heterogeneity may appear in terms of divergent application requirements, for instance, resource constraints in sensor networks, security constraints for medical implantable devices, performance constraints for IIoT, etc. On the other hand, it may appear in terms of diversified architecture requirements, for instance, interoperability across diverse platforms from different vendors, integration of disparate sub-systems, and the existence of compatibility among sub-systems to work in conjunction without conflict. Possible solutions to handle heterogeneity is to consider interoperability and integration of systems or subsystems and to promote flexibility and include abstractions to facilitate integration among existing applications and libraries. The systems that have prescriptive requirements such as military-critical and safety-critical systems must consider all of these aspects while enforcing appropriate quantum-resistant algorithms upon careful identification of the system requirements (such as performance contracting).

d) Bridging The Gap: Integrating HBS with Well-known and Tested Cryptographic Libraries: Integrating HBS with well-known and tested cryptographic libraries plays an ergonomic role to ensure the wide availability of HBS in security infrastructures and serves the goal of absolute security shared by all stakeholders. Though in the case of HBS, proof-of-concept implementations exist such as [33, 67] which mark a necessary step towards their widespread usage. On a related note, such stand-alone implementations are unable to facilitate both technical interfacing and strategic decisions such as parameter selection. In [12], the authors suggested avoiding case-by-case implementation of cryptographic primitives as it is inopportune for organizations to develop their own specific ad hoc implementations and recommended the usage of commonly used software cryptographic libraries (such as Open SSL) particularly because of their ability to include abstractions to facilitate system integration and combination.

V-B3 Social Challenges

In the following, we discuss the social challenges faced by HBS in IoT networks.

a) Ethical and Moral Consequences: The access to large-scale quantum computers by the government institutions and other research funding organizations can be analyzed from ethical perspectives. For example, if access to quantum computers is limited to a few government agencies, they may dominate or dictate other nations (also referred to as the Big Brother Problem). Also, considering the risk that only a few big companies or corporate laboratories are able to afford quantum computers due to massive investment, the entrenched giant companies may use the efficiency gains to out-compete their competitors and thus lead to monopolies or oligopolies [68]. Even worse, the enterprises may use it with criminal intent such as industrial espionage for competitive advantage, mass-surveillance, and other undesirables. Furthermore, evildoers can harvest high-value data (such as medical data or sensitive government data) now and break it later by using quantum computers. The best way to make the impact of quantum computers positive is to enable their wide accessibility to people to run programs on them through the cloud. A toy version of such an idea with a 5-qubit computer through the cloud is provided by IBM’s Quantum Experience [69]. Similarly, to access quantum computing ecosystem platforms should be provided to enable academic researchers who are focused on theoretical work and tech-industry experts who are familiar with real-world performance needs and security demands to collaborate and share their experiences.

b) Skepticism in Quantum Computing: On one hand, there is an on-going race to build universal quantum computers along with a huge amount of scholarly literature and awareness about the potential societal impact on the breaking down of current-grade cryptography. On the other hand, the physical realization of quantum computers has been a hard slog that eventually raises serious doubts by quantum skeptics. The skeptics argued the possibility to build a scalable quantum computer due to various factors (such as noise, constraints on state preparation, unreliability, virtuous cycle, manufacturing errors, etc.) though they do agree that theoretically quantum computation does offer an exponential advantage of classical computation [70]. Gil Kalai, one of the most prominent quantum skeptics also argue against quantum computers due to several underlying facts related to noise in physical systems and quantum error correction [71].

According to the analysis given by [72], quantum computing needs to create a virtuous cycle, similar to that of the semiconductor industry, in order to generate a commercial demand by attaining sufficient economic impact and to fund the development of increasingly useful quantum computers as a major milestone. The same quandary goes for IoT devices, for instance, how ultra resource-constrained devices are going to adopt compute-intensive schemes, how to upgrade or replace IoT devices to carry out quantum-secure algorithms, etc. Also, from the software perspective, software developers must have enough knowledge of quantum theory to write code for the machines as quantum algorithms require a completely different way of thinking about problem-solving. In a net shell, keeping in view a rudimentary stage of evolution of quantum computers (in terms of hardware and software), most of the scientists are of the view to wait and see as a lot of work is needed to build post-quantum systems that are widely deployable while at the same time inspiring confidence.

c) Environmental Aspects: The computational and processing time required by the signing algorithm highly impacts the energy consumption by resource-constrained IoT devices which could ultimately make a somewhat noticeable environmental impact as the number of devices connected to the Internet is exponentially growing. To curtail such an impact on the environment, efficient signature algorithms should be used so to conserve energy which is beneficial for both scientific interests and environment interests [73]. Another environmental aspect is the upsurge in e-waste caused due to new hardware (such as crypto processors) as the existing devices or embedded components may not be able to efficiently go hand in hand with the quantum-safe algorithms. Moving to quantum-resistant crypto primitives which involve more computationally-intensive tasks may affect the performance of the current systems and even render some devices or components obsolete.

V-B4 Thinking Ahead: A Pragmatic Approach

While we are still preparing for quantum-safe algorithms, but at the same moment, we have to protect the information that is already vulnerable; therefore, the overarching question is that, which defensive strategies should be adopted by the government to avoid significant geopolitical and diplomatic ramifications and corporate organizations to mitigate potential liabilities? In the following, we outline a few prudent measures and laying groundwork that must be adopted by the organizations to plan and prepare a quantum-secure IoT infrastructure.

•
Firstly, identify and document information assets (including business value, access control, data sharing arrangement, handling at end-of-life, backup and recovery procedures) and the current cryptographic protections (such as lengthening or maximizing current public key sizes) to determine the organization’s vulnerability to external and internal threats. Then the next step is to document the threat models and threat actors as follows:
- –
  
  The threat models encompass critical infrastructure deployments and high inter-connectivity and inter-dependencies among devices, subsystems, and external third-party systems. The models must also recognize the requirement of lifetime systems that stretch over decades while others may refresh annually or more frequently.
- –
  
  Identify threat actors and estimate their timeline to access and exploit quantum technology.
•

Secondly, a continuous evaluation based on an estimation of the lifecycle and field deployment conditions for such threat models is required as new technologies and attack vectors emerge.
•

Thirdly, investigate the impact of quantum technologies and conduct a Quantum Risk Assessment (QRA) on the underlying systems. In this regard, any cyber risk assessment must be periodically updated to account for emerging threats and to take advantage of improved security solutions as quantum technologies are not mature yet and are still rapidly evolving.
•

Fourthly, build crypto agility into systems to ensure an upgrade path and the ability to conduct remote upgrades in a secure, timely and pro-active manner.
•
Fifthly,
- –
  
  from the hardware perspective, build devices and systems with long term security in mind, for instance, hardware-based key generation for adequate security of cryptographic operations throughout the lifetime of the device in the field. Another long-term solution could be to rely on quantum cryptographic methods to reduce hypothetical risk to business processes until quantum computing hardware becomes commoditized into solutions.
- –
  
  from the software perspective, if possible, finding other PQC algorithms that can be used as drop-in replacements to make the transition less disruptive,
- –
  
  software-as-a-service or third-party platform providers can also be commissioned for further assistance,
- –
  
  perform the cost estimation of new or upgraded hardware and software systems. This may also involve equipping the organization personnel with practical quantum skills or even accessing a platform to learn world-class expertise and technology to advance the field of quantum computing.
•

Finally, after identifying and prioritizing the activities required to shift the organization’s technology to a quantum-safe state, keep track of governance infrastructure and migration plans that are required to respond to changes into systems in order to address immediate concerns while permitting the federation of new quantum technologies.

Thus, now and in the future, strategic thinking and long-term planning in terms of short-term remedies and small-scale fixes to repercussions of vulnerable information must be adopted for protecting sensitive information at banks and government databases until quantum-safe schemes will become fully available with pragmatic solutions and current infrastructures are rendered void.

VI Conclusion

The countdown of the nascent quantum computing paradigm commenced upon the realization of security threats to classical digital signatures schemes. This hype cycle also surges in the IoT world in order to draw attention to the security, authenticity, and integrity of sensory data. To address such issues, HBS is considered to be part of the future portfolio of deployed PQS particularly due to their minimality of the required security assumptions.

In this article, we covered different aspects of HBS schemes including their classification, along with their underlying construction parameters, and striking features. We focused on the problem of introducing HBS schemes in the IoT ecosystem, wherein we highlighted the adoption of suitable schemes considering application-specific (such as signature size, signing speed) and platform-dependent (such as memory constraints, hardware support for specific hash functions) trade-offs. Furthermore, we also identified a set of future research challenges with an open-ended discussion in the adoption of HBS schemes by the IoT community. We hope that this survey provides close insights to researchers to overcome the challenges and pave the way for the standardization of HBS schemes in IoT-based applications.

As a part of our future work, we plan to investigate other post-quantum signature schemes, compare and evaluate them in terms of various construction parameters that are necessary for secure, resource-constrained, and performance-constrained IoT environment.

TABLE VII: Current and future research and deployment challenges in HBS-driven IoT.

Class	Key challenges	Possible solutions
T: Technical challenges NT: Non-technical challenges S: Social challenges
T1: State management	• Synchronization failure of the private key between non-volatile and volatile memory. • Effecting the performance of the system, i.e., additional latency for the signature generation time.	Use stateless or hybrid HBS schemes to avoid key management issues.
T2: Cloning	Using a copied private key without coordination with execution units or storage units.	Use stateless or hybrid schemes.
T3: Specification of parameters	Require use-case specific parameter set.	Define standards for parameter set guidance for use cases.
T4: Trade-off between excessive data and performance	Dynamic dataflow in particular IoT applications.	Use hybrid HBS schemes.
NT1: Business and economic setbacks	• How the current embedded hardware can adapt to quantum-safe cryptographic operations? • Upgrading or establishing new IoT infrastructures incurred a huge economic burden.	Need to identify and plan expenditure on software and hardware costs.
NT2: Entanglement in legacy systems, existing applications, standards, and protocols	• How to retrofit legacy systems with advanced security solutions? • How existing applications and protocols can adapt to quantum computing with their current standards?	• Modify the existing protocols to handle larger signature or key size. • New applications and protocols must set their standards based on the demands of quantum schemes.
NT3: Heterogeneity in terms of application and system	How to provide a quintessential infrastructure for divergent application requirements tailored to specific use cases and diversified architecture requirements strictly depending on platforms and vendors.	• Consider interoperability and integration of systems. • Adopt appropriate algorithm after carefully identifying the system requirements. • Promote flexibility and include abstractions to facilitate integration among existing applications and libraries.
NT4: Integrating HBS with well-known and tested cryptographic libraries	• How to ensure the wide availability of HBS in security infrastructures? • How to avoid case-by-case implementation of cryptographic primitives?	Promote integration of HBS with well-tested and commonly used cryptographic libraries.
S1: Ethical and moral issues	• Government agencies having access to quantum computers may attempt to establish dominion over other nations. • Colossal firms having quantum computers may monopolize the global market. • Researchers and scientists may patent or even hoard knowledge, resulting in limited access to quantum computing knowledge.	Encouraging widespread knowledge of the quantum computing paradigm in both academia and industry through collaboration.
S2: Skepticism	• Quantum skeptics doubts over the possibility to build a quantum computer due to noise in addition to other factors. • How to generate a commercial demand of quantum computers?	• Leverage standardized post-quantum cryptographic solutions to remain on safer side. • Needs to create a virtuous cycle.
S3: Environmental issues	• Energy consumption by massively deployed IoT devices. • E-waste caused due to new hardware.	• Use of efficient algorithms to conserve energy. • Retrofitting.

TABLE VII: Current and future research and deployment challenges in HBS-driven IoT.

References

[1] Ala Al-Fuqaha, Mohsen Guizani, Mehdi Mohammadi, Mohammed Aledhari, and Moussa Ayyash. Internet of things: A survey on enabling technologies, protocols, and applications. IEEE communications surveys & tutorials, 17(4):2347–2376, 2015.
[2] V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, and B. Sikdar. A survey on iot security: Application areas, security threats, and solution architectures. IEEE Access, 7:82721–82743, 2019.
[3] N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani. Demystifying iot security: An exhaustive survey on iot vulnerabilities and a first empirical look on internet-scale iot exploitations. IEEE Communications Surveys Tutorials, 21(3):2702–2733, 2019.
[4] Ronald L Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.
[5] Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE transactions on information theory, 31(4):469–472, 1985.
[6] Don Johnson, Alfred Menezes, and Scott Vanstone. The elliptic curve digital signature algorithm (ecdsa). International journal of information security, 1(1):36–63, 2001.
[7] Chi Cheng, Rongxing Lu, Albrecht Petzoldt, and Tsuyoshi Takagi. Securing the internet of things in a quantum world. IEEE Communications Magazine, 55(2):116–120, 2017.
[8] Peter W Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM review, 41(2):303–332, 1999.
[9] Eric Anschuetz, Jonathan Olson, Alán Aspuru-Guzik, and Yudong Cao. Variational quantum factoring. In International Workshop on Quantum Technology and Optimization Problems, pages 74–85. Springer, 2019.
[10] Lov K Grover. A fast quantum mechanical algorithm for database search. arXiv preprint quant-ph/9605043, 1996.
[11] David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag, Denis Butin, and Johannes Buchmann. State management for hash-based signatures. In International Conference on Research in Security Standardisation, pages 244–260. Springer, 2016.
[12] Denis Butin, Stefan-Lukas Gazdag, and Johannes Buchmann. Real-world post-quantum digital signatures. In Cyber Security and Privacy Forum, pages 41–52. Springer, 2015.
[13] Denis Butin. Hash-based signatures: State of play. IEEE Security & Privacy, 15(4):37–43, 2017.
[14] Paolo Palmieri. Hash-based signatures for the internet of things. In ACM International Conference on Computing Frontiers, CF’18, Ischia, Italy, May 8-10, 2018, Proceedings. Association for Computing Machinery (ACM), 2018.
[15] Jean-Philippe Aumasson and Guillaume Endignoux. Improving stateless hash-based signatures. In Cryptographers’ Track at the RSA Conference, pages 219–242. Springer, 2018.
[16] Geovandro CCF Pereira, Cassius Puodzius, and Paulo SLM Barreto. Shorter hash-based signatures. Journal of Systems and Software, 116:95–100, 2016.
[17] Sebastian Rohde, Thomas Eisenbarth, Erik Dahmen, Johannes Buchmann, and Christof Paar. Fast hash-based signatures on constrained devices. In International Conference on Smart Card Research and Advanced Applications, pages 104–117. Springer, 2008.
[18] Santosh Ghosh, Rafael Misoczki, and Manoj R Sastry. Lightweight post-quantum-secure digital signature approach for iot motes.
[19] Ankur Lohachab, Anu Lohachab, and Ajay Jangra. A comprehensive survey of prominent cryptographic aspects for securing communication in post-quantum iot networks. Internet of Things, page 100174, 2020.
[20] Zhe Liu, Kim-Kwang Raymond Choo, and Johann Grossschadl. Securing edge devices in the post-quantum internet of things using lattice-based cryptography. IEEE Communications Magazine, 56(2):158–162, 2018.
[21] NIST-FIPS Standard. Announcing the advanced encryption standard (aes). Federal Information Processing Standards Publication, 197(1-51):3–3, 2001.
[22] Elaine Barker and Nicky Mouha. Recommendation for the triple data encryption algorithm (tdea) block cipher. Technical report, National Institute of Standards and Technology, 2017.
[23] John Mulholland, Michele Mosca, and Johannes Braun. The day the cryptography dies. IEEE Security & Privacy, 15(4):14–21, 2017.
[24] Duncan Swinscow-Hall. National security in a quantum world, August 09, 2019. Available at https://www.imperial.ac.uk/news/192426/national-security-quantum-world/.
[25] Leslie Lamport. Constructing digital signatures from a one-way function. Technical report, Technical Report CSL-98, SRI International Palo Alto, 1979.
[26] Chris Dods, Nigel P Smart, and Martijn Stam. Hash based digital signature schemes. In IMA International Conference on Cryptography and Coding, pages 96–115. Springer, 2005.
[27] Andreas Hülsing. W-ots+–shorter signatures for hash-based signature schemes. In International Conference on Cryptology in Africa, pages 173–188. Springer, 2013.
[28] Andreas Hülsing. Practical forward secure signatures using minimal security assumptions. PhD thesis, Technische Universität, 2013.
[29] Stefan Kölbl. Putting wings on sphincs. In International Conference on Post-Quantum Cryptography, pages 205–226. Springer, 2018.
[30] Ralph C Merkle. A certified digital signature. In Conference on the Theory and Application of Cryptology, pages 218–238. Springer, 1989.
[31] Matthias J Kannwischer. Physical attack vulnerability of hash-based signature schemes. Technical report, Technical report, Technische Universität Darmstadt, 2017.
[32] Johannes Buchmann, Erik Dahmen, and Michael Szydlo. Hash-based digital signature schemes. In Post-Quantum Cryptography, pages 35–93. Springer, 2009.
[33] Johannes Buchmann, Erik Dahmen, and Andreas Hülsing. Xmss-a practical forward secure signature scheme based on minimal security assumptions. In International Workshop on Post-Quantum Cryptography, pages 117–129. Springer, 2011.
[34] Frank T Leighton and Silvio Micali. Large provably fast and secure digital signature schemes based on secure hash functions, July 11 1995. US Patent 5,432,852.
[35] Johannes Buchmann, Erik Dahmen, Elena Klintsevich, Katsuyuki Okeya, and Camille Vuillaume. Merkle signatures with virtually unlimited signature capacity. In International Conference on Applied Cryptography and Network Security, pages 31–45. Springer, 2007.
[36] Andreas Hülsing, Lea Rausch, and Johannes Buchmann. Optimal parameters for xmss mt. In International Conference on Availability, Reliability, and Security, pages 194–208. Springer, 2013.
[37] Andreas Hülsing, Joost Rijneveld, and Fang Song. Mitigating multi-target attacks in hash-based signatures. In Public-Key Cryptography–PKC 2016, pages 387–416. Springer, 2016.
[38] David McGrew, Fluhrer Curcio, and Scott Fluhrer. Hash based signatures—draftmcgrew-hash-sigs-06. In Crypto Forum Research Group, 2016.
[39] Leonid Reyzin and Natan Reyzin. Better than biba: Short one-time signatures with fast signing and verifying. In Australasian Conference on Information Security and Privacy, pages 144–153. Springer, 2002.
[40] Daniel J Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, and Zooko Wilcox-O’Hearn. Sphincs: practical stateless hash-based signatures. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 368–397. Springer, 2015.
[41] Shay Gueron and Nicky Mouha. Sphincs-simpira: Fast stateless hash-based signatures with post-quantum security. IACR Cryptology ePrint Archive, 2017:645, 2017.
[42] Daniel J Bernstein, Andreas Hülsing, Stefan Kölbl, Ruben Niederhagen, Joost Rijneveld, and Peter Schwabe. The sphincs+ signature framework. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 2129–2146, 2019.
[43] Shai Halevi and Hugo Krawczyk. Strengthening digital signatures via randomized hashing. In Annual International Cryptology Conference, pages 41–59. Springer, 2006.
[44] Sabah Suhail, Choong Seon Hong, and Abid Khan. Orchestrating product provenance story: When iota ecosystem meets the electronics supply chain space. arXiv preprint arXiv:1902.04314, 2019.
[45] Sabah Suhail, Rasheed Hussain, Mohammad Abdellatif, Shashi Raj Pandey, Abid Khan, and Choong Seon Hong. Provenance-enabled packet path tracing in the rpl-based internet of things. Computer Networks, page 107189, 2020.
[46] Aleksey K Fedorov, Evgeniy O Kiktenko, and Alexander I Lvovsky. Quantum computers put blockchain security at risk. Nature, 563(7732):465–467, 2018.
[47] Available at https://github.com/theQRL/Whitepaper/blob/master/QRL_whitepaper.pdf.
[48] Sergei Popov. Iota whitepaper. Technical White Paper, year, 2017.
[49] Miguel Herrero-Collantes and Juan Carlos Garcia-Escartin. Quantum random number generators. Rev. Mod. Phys., 89:015004, Feb 2017.
[50] Mehran Mozaffari-Kermani, Reza Azarderakhsh, and Anita Aghaie. Fault detection architectures for post-quantum cryptographic stateless hash-based secure signatures benchmarked on asic. ACM Transactions on Embedded Computing Systems (TECS), 16(2):59, 2017.
[51] https://www.dwavesys.com/d-wave-two-system.
[52] Ibm unveils world’s first integrated quantum computing system for commercial use, 2019. https://newsroom.ibm.com/2019-01-08-IBM-Unveils-Worlds-First-Integrated-Quantum-Computing-System-for-Commercial-Use.
[53] Frank Arute, Kunal Arya, Ryan Babbush, Dave Bacon, Joseph C Bardin, Rami Barends, Rupak Biswas, Sergio Boixo, Fernando GSL Brandao, David A Buell, et al. Quantum supremacy using a programmable superconducting processor. Nature, 574(7779):505–510, 2019.
[54] Edwin Pednault, John A Gunnels, Giacomo Nannicini, Lior Horesh, and Robert Wisnieff. Leveraging secondary storage to simulate deep 54-qubit sycamore circuits. preprint arXiv:1910.09534, 2019.
[55] Information assurance directorate at the national security agency: Commercial national security algorithm suite., 2015. https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm.
[56] Lily Chen, Lily Chen, Stephen Jordan, Yi-Kai Liu, Dustin Moody, Rene Peralta, Ray Perlner, and Daniel Smith-Tone. Report on post-quantum cryptography. US Department of Commerce, National Institute of Standards and Technology, 2016.
[57] Post-quantum cryptography. Available at https://csrc.nist.gov/projects/post-quantum-cryptography (Accessed 20 March 2019).
[58] Mark Pecen et al. Quantum safe cryptography and security: An introduction, benefits, enablers and challenges, white paper. European Telecommunications Standards Institute, 2014.
[59] Quantum-safe cryptography (qsc). Available at https://www.etsi.org/technologies/quantum-safe-cryptography (Accessed 10 April 2019).
[60] D McGrew, M Curcio, and S Fluhrer. Internet-draft: Hash-based signatures. Internet Engineering Task Force, 2017.
[61] Andreas Hülsing, Denis Butin, Stefan Gazdag, Joost Rijneveld, and Aziz Mohaisen. Internet-draft: Xmss: Extended hash-based signatures. Internet Engineering Task Force, 2017.
[62] Post-quantum cryptography. Available at https://pqcrypto.org/ (Accessed 10 April 2019).
[63] Safe crypto. Available at https://www.safecrypto.eu/ (Accessed 10 April 2019).
[64] Cryptomathcrest. Available at http://crypto.mist.i.u-tokyo.ac.jp/crest/english/ (Accessed 10 April 2019).
[65] Adam C Everspaugh and Benita Bose. Virtual machine reset-atomicity in xen. Technical report, University of Wisconsin-Madison, 2013.
[66] Andreas Hülsing, Denis Butin, Stefan Gazdag, and Aziz Mohaisen. Xmss: Extended hash-based signatures. In Crypto Forum Research Group Internet-Draft.(2015). draft-irtf-cfrg-xmss-hash-based-signatures-01, 2015.
[67] Andreas Hülsing, Christoph Busold, and Johannes Buchmann. Forward secure signatures on smart cards. In International Conference on Selected Areas in Cryptography, pages 66–80. Springer, 2012.
[68] Ronald De Wolf. The potential impact of quantum computers on society. Ethics and Information Technology, 19(4):271–276, 2017.
[69] https://www.ibm.com/quantum-computing/.
[70] Moshe Y Vardi. Quantum hype and quantum skepticism. Communications of the ACM, 62(5):7–7, 2019.
[71] Katia Moskvitch. The argument against quantum computers, February 7, 2018. Available at https://www.quantamagazine.org/gil-kalais-argument-against-quantum-computers-20180207/.
[72] Engineering National Academies of Sciences, Medicine, et al. Quantum computing: progress and prospects. National Academies Press, 2019.
[73] Mikael Sjöberg. Post-quantum algorithms for digital signing in public key infrastructures, 2017.