Improving Bitcoin’s Post-Quantum Transaction Efficiency With a Novel Lattice-Based Aggregate Signature Scheme Based on CRYSTALS-Dilithium and a STARK Protocol

This paper proposes a novel lattice-based aggregate signature (LAS) scheme that brings post-quantum security to the Bitcoin system without sacrificing its transaction efficiency. Bitcoin currently employs Elliptic Curve Digital Signature Algorithm (ECDSA), which is insecure against the emerging quantum technology, so post-quantum signature schemes like the proposed LAS will become necessary in the near future. However, most of the post-quantum signatures schemes have large signature sizes which decrease Bitcoin’s efficiency. Even CRYSTALS-Dilithium, the most prominent post-quantum signature scheme chosen by the National Institute of Standards and Technology (NIST), has this adverse limitation: it would cause Bitcoin’s transaction efficiency to fall by 17 times from 2759.36622 transactions per block (tpb) to 159.48374 tpb. The existing signature schemes are unable to resolve this efficiency problem for Bitcoin. We crafted a novel LAS scheme based on CRYSTALS-Dilithium and a zero-knowledge Scalable Transparent Arguments of Knowledge (STARK) protocol to tackle this problem. The proposed LAS scheme takes full advantage of signature aggregation using the STARK protocol and Dilithium’s easy and fast implementation, thus generating signatures with post-quantum security and small signature sizes which are critical to transaction efficiency. Our proofs convey the correctness, compactness, and post-quantum security of our scheme in the quantum random oracle model, and our implementation in Python conveyed that the proposed scheme would only decrease Bitcoin’s transaction efficiency by 3 times, a significant improvement from using Dilithium and other lattice-based aggregate signature schemes. Our proposed scheme has many advantages over the existing schemes and will become very valuable to Bitcoin.


I. INTRODUCTION
Digital signatures are essential to the security of Bitcoin and blockchain technology. Every valid Bitcoin transaction has to be signed by the sender and then recorded on the Bitcoin blockchain. Digital signatures ensure the security of Bitcoin transactions and enables robust and efficient methods of verification.
The associate editor coordinating the review of this manuscript and approving it for publication was Diana Gratiela Berbecaru .
Currently, Bitcoin utilizes ECDSA to generate digital signatures that are secure against attacks from classical computers, but quantum computers can break ECDSA easily. Therefore, we investigate CRYSTALS-Dilithium, a Lattice-Based Digital Signature Scheme that can be utilized in a post-quantum setting. Dilithium was selected by NIST as the primary post-quantum digital signature algorithm, so it will likely be used for Bitcoin and other important areas of application [1].
The problem, however, is that Dilithium and other post-quantum signature schemes generate signatures that are much larger than signatures generated by ECDSA. An increase in signature size should result in an increase in the Bitcoin block size, but since Bitcoin has a block size limit of 1MB, this increase in block size will not be possible. Instead, we will have to decrease the number of transactions per block to maintain the 1MB block size, which will cause transaction efficiency to fall.
Since using Dilithium decreases Bitcoin's post-quantum transaction efficiency (measured by the number of transactions per block), we wish to craft an aggregate signature scheme that will increase Bitcoin's transaction efficiency from that of Dilithium. Using the proposed signature scheme, we hope to generate one compact signature for multiple transactions in the same Bitcoin block.

A. RELATED WORKS
Digital signatures are essential to the security of Bitcoin and blockchain technology. Every valid Bitcoin transaction has to be signed by the sender and then recorded on the Bitcoin blockchain. Digital signatures ensure the security of Bitcoin transactions and enables robust and efficient methods of verification.
Currently, Bitcoin utilizes ECDSA to generate digital signatures that are secure against attacks from classical computers, but quantum computers can break ECDSA easily. Therefore, we investigate CRYSTALS-Dilithium, a Lattice-Based Digital Signature Scheme that can be utilized in a post-quantum setting. Dilithium was selected by NIST as the primary post-quantum digital signature algorithm, so it will likely be used for Bitcoin and other important areas of application [1].
The problem, however, is that Dilithium and other post-quantum signature schemes generate signatures that are much larger than signatures generated by ECDSA. An increase in signature size should result in an increase in the Bitcoin block size, but since Bitcoin has a block size limit of 1MB, this increase in block size will not be possible. Instead, we will have to decrease the number of transactions per block to maintain the 1MB block size, which will cause transaction efficiency to fall.
Since using Dilithium decreases Bitcoin's post-quantum transaction efficiency (measured by the number of transactions per block), we wish to craft an aggregate signature scheme that will increase Bitcoin's transaction efficiency from that of Dilithium. Using the proposed signature scheme, we hope to generate one compact signature for multiple transactions in the same Bitcoin block.

B. RELATED WORKS
Ever since lattice-based cryptography was introduced in 1996, there have been many studies concerning lattice-based aggregate signatures.
There are two types of aggregate signatures: general and sequential. Sequential aggregate signature schemes require a strict order to exist among individual signatures, and most of the sequential aggregate signature schemes are developed based on the Rivest-Shamir-Adleman (RSA) problem or bilinear maps, which makes them vulnerable to quantum attacks. There are, however, sequential aggregate lattice-based signature schemes with quantum-security based on lazy verification [2], FALCON based trapdoor functions [3], or NTRUSign [4], but in these schemes, each user has to verify the signature of the user prior to them which decreases the efficiency of the schemes.
On the other hand, in 2012, Zhang et al introduced a homomorphic technique for unordered lattice-based aggregate signature scheme, but all signers in this scheme have to have the same public key in order for the i th signer to sign a message m j without the j th signer knowing anything about it [5]. In 2014, Jing et al also proposed a lattice-based homomorphic unordered aggregate signature scheme that reduces signature length and increases efficiency [6]. However, a problem for both of these schemes is that every signature of the aggregate signature can sign messages on behalf of other signers without their consent. This is exceedingly detrimental for Bitcoin transactions, for users may lose a tremendous amount of money to adversaries.
In 2016, Bansarkhani et al proposed the first unordered interactive lattice-based aggregate signature scheme that is provably secure in the random oracle model [7], and in 2018, Lu et al proposed an unordered lattice-based aggregate signature scheme based on the intersection method [8]. However, these schemes are not applied to other protocols such as a STARK protocol to produce zero-knowledge proofs that protects the privacy of Bitcoin transaction data.
There have been many protocols and services that can protect Bitcoin anonymity. For example, Bao et al proposed Lockmix, a secure mix service for Bitcoin [9], and in 2012, Bitansky et al proposed zero-knowledge Succinct Noninteractive Argument of Knowledge (SNARK) [10]. However, the STARK protocol has advantage over these other protocols and services because STARK is capable of aggregating signatures with a zero-knowledge proof while preserving post-quantum security, which a lot of other services and protocols lack the ability to do so. Thus, we wish to utilize a STARK protocol alongside our scheme.
Since there are little lattice-based aggregate signature schemes that can produce a zero knowledge proof along with a fast implementation process and small signature size, we seek to devise a scheme that will achieve this and improve Bitcoin's transaction efficiency.

C. RESEARCH AIMS AND SCOPE
The aim of this study is to craft a lattice-based aggregate signature scheme in order to improve the transaction efficiency of Bitcoin and gain post-quantum security and to identify the impacts of transitioning from ECDSA to CRYSTALS-Dilithium on Bitcoin's transaction efficiency.
This paper deals with a lattice-based aggregate digital signature scheme, proofs of the scheme's security, and the scheme's implementation. These fall under the studies of cryptography, mathematics, and computer science, respectively. Knowledge about post-quantum lattice-based cryptography was used to construct the scheme, mathematical knowledge such as abstract algebra was used to write the proofs of the scheme's construction, and coding skills helped implement the scheme and obtain results.
The scope of the study, however, is limited to signature schemes for Bitcoins, and not other cryptocurrencies. We also focused on lattice-based signatures specifically due to their efficient functionality for post-quantum Bitcoin and NIST's recommendation and did not investigate other post-quantum signatures. We also chose to involve a STARK protocol to produce zero-knowledge proofs a did not apply our LAS scheme with other protocols.

D. OUR CONTRIBUTION
In this paper, we calculated how shifting from ECDSA to CRYSTALS-Dilithium would affect Bitcoin's transaction efficiency. We investigated different transaction types (P2PKH, P2PK, and P2SH) and computed their transaction sizes under the two different signature schemes. With that, we found the transaction efficiency of the two schemes.
After our discovery that CRYSTALS-Dilithium will decrease Bitcoin's transaction efficiency by 17 times, we devised our lattice-based aggregate signature scheme. We formulated the algorithms in the scheme based on Dilithium and applied it with a STARK protocol. We used proofs of compactness, correctness, and post-quantum security to show that our scheme is compact, correct, and secure in the quantum random oracle model because our scheme is based on the hardness of the Module Learning With Errors (MLWE) and Module Short Integer Solution (MSIS) problems.
We implemented our scheme with a set of parameters described in the paper and obtained the result that our proposed scheme only decreases Bitcoin's transaction efficiency by 3 times, which is a notable improvement from Dilithium. We also compared our scheme with several other lattice-based aggregate signature schemes and found that our scheme is the most efficient. Therefore, in a post-quantum era, our scheme will be important for Bitcoin.

E. PAPER ORGANIZATION
The rest of this paper is organized as follows. Section II introduces preliminaries regarding different signature schemes and their role in the Bitcoin system. Starting from the basis of a signature scheme, we delve into aggregate signature schemes, proofs for signature schemes, and CRYSTALS-Dilithium. We also present the zero knowledge STARK protocol that we utilize later with our LAS construction. Section III shows our calculations of how Bitcoin's transaction efficiency is expected to fall when transitioning to CRYSTALS-Dilithium. Section IV concerns the specifics of our LAS construction and proofs for our construction. Section V is the implementation of our LAS scheme and compares our scheme's efficiency to other post-quantum schemes: our proposed scheme is more efficient and does not cause Bitcoin's transaction efficiency to fall as much. We also discuss the strengths and shortcomings of our proposed scheme. Section VI summarizes our work and concludes the discussion of our proposed LAS scheme.

A. BITCOIN AND BLOCKCHAIN
Bitcoin is a digital, secure, and decentralized medium of exchange that utilizes a peer-to-peer electronic cash system without relying on trust: the Bitcoin system employs blockchain technology to record transactions on blocks and then utilizes cryptographic methods such as digital signature schemes to construct transactions. Transactions are the foundations of the Bitcoin system, for every component of Bitcoin is designed to ensure the safety and efficiency of transactions.
Bitcoin has one blockchain, which is a global ledger of transactions that are maintained across several computers linked in a peer-to-peer network. Each block in the blockchain is composed of a block header and different transactions, and the size of a transaction is determined by the input, output, and scripts of that transaction, which we will discuss in Section III. There are many elements to a transaction, and the elements that we are the most concerned with are the public key, private key, hash, and signature, for they are most frequently utilized in digital signature schemes and transactions.
Bitcoin utilizes a hash algorithm to ensure data integrity, public keys corresponding to Bitcoin user addresses, private keys for users to prove ownership over their Bitcoins, and signatures for users to sign transactions and verify the Bitcoin transactions.
In this study, we are also concerned with Bitcoin's scalability problem: Bitcoin's limited capability to process large amounts of transactions in a short period of time [12]. Bitcoin has a block size limit of 1MB due to this scalability problem, and Bitcoin can only process 3-7 transactions per second. When using a post-quantum signature scheme, the increase in signature size would either cause the block size to increase or the transactions per block will decrease. The latter one will take place, for the block size limit may not be surpassed, and transaction efficiency will be sacrificed. Thus, we seek to craft a lattice-based signature scheme that will bring down the post-quantum Bitcoin signatures' size and increase the transaction efficiency.

B. SIGNATURE SCHEMES
Signatures in Bitcoin transactions, are very important, as they ensure that the transaction is verified, authentic, and legitimate, and signature schemes are used to generate unique signatures for different transactions. We will start with the basic definition of a signature scheme [13].
Definition 1 (Signature Scheme): A signature scheme consists of three algorithms: Key Generation (KeyGen), Signing (Sign), and Verification (Verify). In particular: • KeyGen: A private key sk and a public key pk are chosen. • Sign: With the secret key sk, a user can sign the transaction m by using this algorithm to generate a signature σ • Verify: Given the public key pk, a transaction m, and a signature σ , anyone can verify whether this signature is the corresponding signature to this transaction. The signature scheme described above is the backbone of more complex signature schemes. Most signature schemes have these three algorithms or a variation of them, and those schemes may have additional algorithms for different purposes. Since we are constructing an aggregate signature scheme, we will explain how an aggregate signature scheme differ from this basic signature scheme.
Definition 2 (Aggregate Signature Scheme): An aggregate signature scheme is a tuple of five algorithms. Three of the algorithms (KeyGen, Sign, and Verify) are the same as the algorithms in the most basic signature scheme, and two additional algorithms are defined below.
• AggSig: Take n different transactions M , their corresponding signatures (generated by Sign), and the corresponding public keys PK , the user will get one aggregated signature σ agg as output.
• AggSigVerify: Given one aggregate signature σ agg , the user can verify this signature with PK and M . Every aggregate signature scheme has to preserve compactness, correctness, and unforgeability, which we define below.
Definition 3 ([13] Compactness): Let π = (KeyGen, Sign, SignAgg, Verify, AggSigVerify) be an aggregate signature scheme. π is compact if there exists a polynomial f (x) and a negligible function g(x) such that for every security parameter λ and sets of messages M = {m 1 , m 2 , . . . , m n }, we get that where Pr is the probability of the indicated inequality holding, |σ ag | is the bit length of σ ag , and the negligible function In other words, for all positive integer a, there exists m ∈ Z ≥1 such that all integers n ≥ m satisfies |f (n)| ≤ 1 n a . Definition 5 ([13] Correctness): Let π = (KeyGen, Sign, SignAgg, Verify, AggSigVerify) be an aggregate signature scheme. π is correct if for all security parameters λ ∈ N and any number of messages n ∈ N, we have where everything is defined as in Equation 1.
• An admissible adversary A is an adversary that returns a verifying set of PK and M and a signature σ * such that. . .
, m i * was never added to the signing oracle of the adversary is an unforgeability experiment of the signature scheme: 1) Public parameters are generated with λ 2) KeyGen generates the secret key sk * and public key pk * 3) The admissible adversary generates (PK , M , σ ag ) with the public parameters and public key pk * through A Sign(sk * ,·) 4) The experiment outputs AggSigVerify(PK, M, σ ag ) C. CRYSTALS-DILITHIUM: A LATTICE-BASED DIGITAL SIGNATURE SCHEME CRYSTALS-Dilithium is a lattice-based digital signature scheme that consists of three algorithms: Key Generation, Signing, and Verification, and the security of the scheme is based on the hardness of the MLWE and MSIS problems on a lattice. Dilithium follows a Schnorr framework with a rejection-sampling step, making the signature size relatively small. All operations in Dilithium are done in the ring R = Z q [X ]/(X 256 + 1) with q = 2 23 − 2 13 + 1, and SHAKE-256 is used for hashing. Moreover, all sampling (the process of choosing arbitrary values for variables in a certain range) done in Dilithium is uniform [15].  = (z, h, c) where c is the hash of the highest order bit of Ay for some arbitrary y in [−γ , γ ] 5 z = y + cs 1 h is a carry bit hint vector, meaning that it is a 1-bit hint that allows us to recover the highest bit of VOLUME 10, 2022 Ay−cs 2 without −ct 0 -we just need h and Ay−cs 2 + ct 0 -because high(Ay−cs 2 ) = high(Ay−cs 2 +ct 0 ); high is the function that gives the highest order bit and t 0 is the lowest order bit of t Moreover, the following conditions must be satisfied. If any of the conditions are not satisfied, we need to choose our y again: z < γ − β for β = max cs 2 -The lowest order bit of (Ay − cs 2 ) < γ − β where ω is a constant set by us. See Figure 1 below for a comprehensive overview of CRYSTALS-Dilithium in psuedocode.

1) NTT DOMAIN REPRESENTATION
In order to work with matrix A, we use implementation via Number Theoretic Transform (NTT) in our selected ring, for it is very efficient. NTT is a variation of Fast Fourier Transform (FFT): instead of working in the complex field, we work in the finite field Z q .
First, we choose a prime q ≡ 1 (mod 512) so that there is an element r in the group Z * q that is a 512-th root of unity. Then, we get that x 256 r 511 ). By the Chinese Remainder Theorem, we get the following isomorphism: Now, any polynomial a ∈ Z q [X ]/(X 256 + 1) can be represented by (a(r), a(r 3 ), . . . , a(r 511 )), and thus the product of polynomials is coordinate-wise. Therefore, the polynomial multiplications that involve matrix A can be computed easily with the help of the FFT, which is defined below.
Definition 7 ([16] Fast Fourier Transform (FFT)): Let f ∈ Q[x]/(φ). For our purpose, let φ = x 256 +1 and let φ be the set of complex roots of φ. Since φ(x) = ζ ∈ φ (x − ζ ) by Equation 6, we get that FFT φ (f ), the fast Fourier transform of f with respect to φ, can be denoted below: As stated above, polynomial addition, subtraction, multiplication, and division modulo φ can be computed very efficiently in FFT because we can perform them by considering their components.
In short, Dilithium is a lattice-based signature scheme that is easy to implement, fast, compact, and quantum-resistant.

D. STARK PROTOCOL: SCALABLE TRANSPARENT ARGUMENTS OF KNOWLEDGE
A Scalable Transparent Argument of Knowledge (STARK) protocol is a hash-based verification method that uses minimal resources and that provides post-quantum security. We use this protocol with the proposed LAS scheme in order to ensure its security and produce zero-knowledge proofs alongside the signatures. The STARK protocol is defined below by a tuple of three algorithms: (Setup, Prove, Verify) • Setup: Outputs the public parameters pp randomly when given a security parameter λ and Prog is the any program that utilizes public randomness and outputs algebraic intermediate representations of the input such that Prog{0, 1} * → {0, 1} • Prove: Takes pp, a statement stmt, and the set of signatures such that Prog(stmt ) = 1. Generates a proof π as output.
• Verify: Takes pp, a statement stmt, and a proof π as input. Output is a boolean variable that denotes whether this proof is valid or not. Note that the STARK.Setup is transparent beacuse it only relies on public randomness and satisfies standard security in a random oracle including completeness and knowledge extraction [17], [18].

III. BITCOIN's EXPECTED TRANSACTION EFFICIENCY USING ECDSA VS CRYSTALS-DILITHIUM
The size of signatures generated by CRYSTALS-Dilithium differ for different security levels. In this paper, we consider Dilithium2 (Dilithium with a NIST security level of 2) which offers enough quantum security and has a relatively small signature size and public key size. Dilithium2 has a signature Y. Quan: Improving Bitcoin's Post-Quantum Transaction Efficiency size of around 2420B, which is about 33 times more than the size of signatures generated by ECDSA -which is approximately 72.5 bytes. It is obvious that the Bitcoin transaction efficiency measured in transactions per block would have to decrease with Dilithium instead of ECDSA, but we wish to find out the extent of that decrease in order to compare to how our LAS scheme would decrease the transaction efficiency. To the best of our knowledge, there has not been a study on Bitcoin's transaction efficiency using CRYSTALS-Dilithium compared to using ECDSA.
In our calculations, we consider three types of Bitcoin transactions: Pay-to-Public-Key-Hash (P2PKH), Payto-Public-Key (P2PK), and Pay to Script Hash (P2SH), for these three are the most frequently seen transactions [19]. With data on the frequencies of different transaction types in Bitcoin [20], we create the following table.
For each transaction type, we calculate their transaction size with two inputs and two outputs when using ECDSA and when using CRYSTALS-Dilithium with the following set of equations: • For all transaction size S T , we get that where S I is the size of the input with scripts and S O is the size of the output with scripts • P2PKH: Let s be the signature size and let pkh be the size of the public key hash.
• Pay to Public Key: Let s be the signature size and let pk be the size of the public key.
• P2SH: Let s be the signature size and pk be the public key size.
With the equations above, we get the following tables of values of transaction sizes. Now, we combine the tables above to obtain the increase in Bitcoin block size if we did not decrease the number of transactions per block in compensation. By adding the products of the frequency of each transaction type and their    corresponding transaction size, we get the average transaction size. Then, an average block size is calculated by adding 85 with 2759.12 times the transaction size, since there is an average of 2759.12 transactions per block. Now, we decrease the number of transactions per block as a remedy for the increase in block size so that the final block size would stay at 1MB. The average number of transactions per block using CRYSTALS-Dilithium is calculated below.
Finally, as seen in Figure 6, the transaction efficiency decreased by around 17 times under Dilithium compared to ECDSA.

IV. A LATTICE-BASED AGGREGATE SIGNATURE (LAS) SCHEME BASED ON CRYSTALS-DILITHIUM AND A STARK PROTOCOL A. MAIN IDEA
The LAS scheme is a lattice-based aggregate scheme that will aggregate signatures on a Bitcoin block so that the VOLUME 10, 2022 Bitcoin transaction efficiency in a post-quantum era would increase. Therefore, we want to make sure that LAS maintains post-quantum security with Dilithium and a STARK protocol and that our LAS scheme can successfully generate one compact signature for different transactions.
Note that v i = H (PK M ) ∈ B β 1 where H is the hash function SHAKE-256, which maps anything to {0, 1} * so that the output would have a smaller size than the input.
Such that h ag = n i=1 h i because we add h i in Z and not B • LAS.AggSigVerify(PK , M , σ ag ) → (0/1): Takes in the set of public key, messages, and the aggregate signature, and output a boolean variable which verifies whether a signature is valid or not. In order to perform calculations, we parse σ ag = (z ag , h ag , c ag ). The conditions to be checked for the boolean variable are as follows: Recall the STARK protocol in Section II-D. Now, we want to use that protocol in conjunction with the LAS construction. We get the following procedure for key generation, signature generation, and verification: 1) Use LAS.KeyGen and LAS.Sign to generate the variables needed 2) Prog((n, M , PK , LAS.pp, )

1) PROOFS FOR CONSTRUCTION
In order to prove that the proposed LAS scheme is a valid aggregate signature scheme, we must prove that it possesses compactness, correctness, and unforgeability in the quantum random oracle model. Moreover, we will discuss the lattice problem that LAS is based on.
Proof: Let λ be the security parameter, n be the number of signatures to aggregate, and everything else defined as in Section IV-B. we parse σ i for i ∈ [n] into (z i , h i , c i ). We bound the norm of σ ag = (z ag , h ag , c ag ) using the triangle inequality: 1 2 Therefore, the size of σ ag = (z ag , h ag , c ag ) can be expressed by f (λ, n) if λ 1 , β, β 1 , ω = f (λ) ≥ 0.
Theorem 9 (Correctness): The aggregate signature scheme in Construction IV-B is correct (Definition 3).
Proof: Let λ be the security parameter, n be the number of signatures to aggregate, and everything else defined just as in Section IV-B. Similar to the compactness proof, we parse all σ into (z, h, c), and consider the verification process of z, h, c individually.
Since each z i ≤ γ − β based on our construction, we get that the inequality above must hold. Next, From our construction, we know that c i = H (w i µ i ), and thus the equation above must hold true. Finally, h i h ag ≤ nω 1 2 Since h i ≤ √ ω, the equation above must hold. Proof: The standard evaluation method of security for digital signature schemes is the UF-CMA (Unforgeability under Chosen Message Attacks) security, and an even stronger security notion is the Strong UF-CMA (SUF-CMA).
In the classical random oracle model, it can be easily shown that the LAS is SUF-CMA secure, for it is based on the hardness of the MLWE and MSIS problems. However, we also need to take into consideration the security of the LAS in the quantum random oracle model (QROM). Since we know that CRYSTALS-Dilithium and the STARK protocol are quantum secure [15], [21], we use their security proofs to prove the security of LAS.
By the SUF-CMA security of Dilithium, we can assume the SUF-CMA security of the KeyGen, Sign, and Verify algorithms of the LAS. By our method of generating and verifying the aggregate signature, we used the technique of preventing rogue attacks and chosen message attacks. Moreover, we used a quantum-resistant STARK protocol to generate a zeroknowledge proof. Therefore, even when a quantum adversary can query the hash function on a superposition of inputs about the aggregate signature, they would not be able to break the scheme. Thus, we get that our AggSig and AggSigVerify have SUF-CMA in QROM.
The mathematical proof of what we outlined above is as follows: We want to show that an arbitrary adversary A has only a negligible advantage in breaking the LAS scheme, where the advantage of an adversary is defined as the difference between the adversary's probability of breaking the scheme and the probability that the system can be broken by guessing. The advantage of A in SUF-CMA is defined as follows VOLUME 10, 2022 • Game G 1 computes the signatures on the message using a simulation algorithm Sim, which outputs a distribution that has statistical distance of at most zk • Game G 2 produces a boolean variable evaluated by the expression c = H (W M ) • Q s is the number of classical queries to the signing oracle Sign • κ is a positive integer constant (the value does not matter for our security proof, as it gets canceled out later on) • α = 255 is the bits of minimum entropy of our construction scheme • zk is the maximum statistical distance between (W , c, Z ) and (W , c , Z ) ← Trans(sk) where Trans is a transcript oracle that returns a real interaction between the prover and verifier Inequality 12 can be rewritten as follows for the proposed LAS scheme [22]: (13) such that D is a probability distribution such that D : Z q → [0, 1] and α is the bits of minimum entropy.
Inequality 13 also uses the MLWE and MSIS problem as well as the concept of SelfTargetMSIS, which we will explain below. For the proposed LAS scheme, we assume the hardness of the MLWE and MSIS problem, and SelfTargetMSIS is the assumption that new message forgery is based on. where A is the (4,4) matrix defined in our construction, and y = A |H (A).
In order to prove that the advantage of a quantum adversary A is negligible under SUF-CMA, we want the right hand side of Inequality 13 to also be negligible.
Since we assumed the hardness of MLWE and MSIS problems and we set α = 255, we get that the right hand side can be simplified to just Adv SelfTargetMSIS (A). It suffices to prove that Adv SelfTargetMSIS (A) is negligible.
Adv SelfTargetMSIS (A) concerns the situation when an adversary receives a random (A, t) and outputs a valid pair of messages and valid signatures: M , σ ag : (z ag , h ag , c ag ). This means that the following conditions must be met: 1 2 The second condition, in other words, requires us to show that H (w i m i ) = c i . we can rewrite w i as UseHint(h i , Az i − c i t 1 · 2 d , 2λ 2 ). By Lemma 1 in [15], we get that w i = Az i − c i t 1 · 2 d + u. Then, we know that the right hand side is equal to Az − c i t + u where u = ct 0 + u because t 1 = HighBit(t). Now, we can rewrite w i as follows: Therefore, we rewrite the whole expression involving c ag as follows: By the hardness of MLWE, we get that (A, t = As 1 + s 2 ) is indistinguishable from (A, t) where t is randomly sampled, so this is exactly what we want for Adv SelfTargetMSIS by Lemma 16. However, note that since we are proving SUF-CMA and not just UF-CMA, we have to consider the case where the adversary A sees a signature (z ag , h ag , c ag ) for M and then only changes (z ag , h ag ). In this case, we have w i = UseHint(h i , Az i − c i t 1 · 2 d , 2λ 2 ). Notice that we can apply the same calculations to get that Adv SelfTargetMSIS (A) is negligible.
Thus, we can claim that the proposed LAS scheme construction has SUF-CMA in QROM.

A. SETTING THE PARAMETERS
There are a few parameters in the proposed LAS scheme that we need to consider when implementing the scheme.
• For the Ring Z q [X ]/(X n +1) that we perform operations in, we set q = 2 23 − 2 13 + 1 and n = 256 in order to ensure that Theorem 9, 8, and 10 always hold.
• In order to make LAS quantum-resistant, we set the size of matrix A to always be (4,4). This gives sufficient security in a classical random oracle model and in QROM. • The following constants are always the same in order that the construction of LAS be reasonable under all circumstances: • The variables that may be varied for different implementations are β, β 1 , ω, η. For implementation and security purposes, we set them as follows: With the parameters that we set, we implemented the proposed scheme in Python and acquired a MIT license on Github [23]. We obtained the following results: The proposed scheme was shown to only decrease the Bitcoin transaction efficiency (average transactions per block) by 3 times from ECDSA while Dilithium decreased its transaction efficiency by 17 times. Therefore, our scheme will become very useful when quantum computers are popularized, for it is not only post-quantum secure but also increases Bitcoin's transaction efficiency from CRYSTALS-Dilithium.
We also compared our proposed scheme with other existing lattice-based aggregate signature schemes mentioned in Section I-B using the same parameters.
As seen in Figure 9, although the individual signature size of our scheme is larger, our aggregate signatures have a smaller size than other schemes because of our aggregation method. Thus, our scheme has a higher efficiency -Bitcoin blocks using our scheme can contain more transactions per block -so our proposed scheme has great potential to be adopted by post-quantum Bitcoin.

C. ANALYSIS: STRENGTHS AND SHORTCOMINGS
The proposed LAS scheme has several advantages: • Small aggregate signature size: through our LAS scheme, we generated aggregate signatures for Bitcoin blocks such that the block size is smaller than that of blocks using Dilithium.
• Useful for Bitcoin in post-quantum setting: since the LAS scheme preserved quantum security against adversaries, this scheme is very beneficial to post-quantum Bitcoin.
• Easy implementation and practicality: NTT offers efficient implementation in constant time.
• Our proposed scheme generates a zero-knowledge proof along with each aggregate signature, which protects users' privacy • Our scheme is unordered and does not require each user to verify the validity of the signature of the user before them Overall, our proposed scheme is very efficient and possesses several advantages over the other prior schemes in literature -it's also a significant improvement from the primary algorithm for post-quantum signature schemes selected by NIST. Therefore, our scheme present itself as important to Bitcoin in a post-quantum era.
On the other hand, there are also a few areas of improvement for the LAS scheme: • Despite that we reduced the aggregate signature size of a Bitcoin block, the scheme can be further improved so that it decrease the individual signature size even more.
• Future work can also be done on our construction of the aggregate signature and the verification process of the aggregate signature to find an even more efficient process of generating and verifying the aggregate signature.
• Another area of research is to extend our signature scheme to other cryptocurrencies such as Ethereum and understand what modifications are necessary.

VI. CONCLUSION
This study proposes a novel lattice-based aggregate signature scheme that can increase Bitcoin's transaction efficiency in a post-quantum setting. We calculated that the Bitcoin transaction efficiency would fall by 17 times when using CRYSTALS Dilithium, the primary post-quantum signature scheme, compared to using ECDSA. Thus, we decided to construct a new aggregate signature scheme based on CRYSTALS-Dilithium and a STARK protocol so that our scheme possesses the benefits of both the algorithm and the protocol. We implemented our scheme and found that with our scheme, Bitcoin's transaction efficiency would merely decrease by 3 times from using ECDSA. Our scheme could significantly improve Bitcoin's transaction efficiency in a post-quantum world, and it also presents many other benefits such as easy implementation, protection of privacy, practicality, and strong security.