Compact Hybrid Signature for Secure Transition to Post-Quantum Era

Recent advances in quantum-computing technology have threatened the security of classical cryptographic algorithms. This initiated research on Post-Quantum Cryptography (PQC), and the National Institute of Standards and Technology (NIST) PQC standardization is in progress. Coping with the current situation in which the security of existing cryptographic algorithms is already in question and that of new cryptographic algorithms is not yet certain, there has been active research on hybrid schemes combining two algorithms such that the security of the combined scheme is based on both underlying algorithms. For digital signatures, a naive solution for a hybrid scheme is to simply concatenate a classical signature and a quantum-resistant signature. In this paper, however, we propose a compact hybrid signature construction method that combines two randomized signatures such that the size of the combined signature is shorter than that of naive concatenation. Our construction allows for selective verification, which provides backward compatibility and conformance with existing regulations. We demonstrate the feasibility of the proposed method by combining ECDSA P-256 and Falcon-512, which are representative classical and post-quantum signature schemes, respectively. We prove that the combined signature is existentially unforgeable against an adaptive chosen-message attack, even if one of the underlying signature schemes is completely broken and only the other one remains secure. Through experiments on a desktop PC and Raspberry Pi 3 Model B, we verify that the proposed method effectively reduces the combined signature size with negligible computational overhead. Our experimental results demonstrate the proposed method is also applicable to PQC-PQC combinations.


I. INTRODUCTION
Recent advances in quantum computers and quantum algorithms have posed serious risks to existing cryptographic algorithms.For example, Grover's quantum search algorithm [1] is expected to substantially accelerate the brute forcing of symmetric cryptographic schemes, and Shor's algorithm [2] is expected to break standard public-key cryptographic schemes based on prime factorization and discrete logarithm problems.Although they were proposed in 1996 and 1994, respectively, standard cryptographic algorithms such as RSA and DSA [3] have been used The associate editor coordinating the review of this manuscript and approving it for publication was Engang Tian .
securely for several decades because no practical quantum computers have been developed thus far to effectively conduct quantum algorithms.However, the threats posed by quantum algorithms are being realized as quantum computer technology is rapidly developing.In 2022, IBM unveiled a 433-qubit quantum processor, Osprey, with the aim of developing a quantum processor with more than 4,000 qubits by 2025 [4].In 2023, Google provided experimental results for suppressing quantum errors, although they introduced more qubits [5].These results demonstrate the possibility of developing practical quantum computers in the near future.In addition, Intel provided better accessibility to quantum computing by publishing the Quantum Software Development Kit version 1.0 in 2023 [6].
Owing to the potential threats of quantum computers, the American National Institute of Standards and Technology (NIST) started Post-Quantum Cryptography (PQC) standardization to standardize quantum-resistant public-key cryptographic algorithms.In 2016, the first round of this standardization was initiated with 45 key encapsulation mechanism (KEM) candidates and 19 digital signature algorithm candidates.After the second and third rounds of evaluation, CRYSTALS-Kyber [7] was selected as the KEM for standardization, and CRYSTALS-Dilithium [8], Falcon [9], and SPHINCS+ [10] were selected as the digital signature algorithms in 2022.In addition, four alternative KEM candidates advanced to the fourth round for future standardization.
It is desirable that the transition to PQC be completed as soon as possible.Mosca's inequality [11] is a well-known illustration of the risk of delay during this transition.Let x be the life span of the data to be kept secure, y be the time required for PQC transition, and z be the time remaining until a large-scale quantum computer becomes available for cryptanalysis.If z < x + y, then the data are no longer secure.In particular, we may consider the store-now-decryptlater (SNDL) attack against a classical encryption algorithm, in which an adversary stores a ciphertext containing valuable data and decrypts it with a quantum computer later [12].Nevertheless, we must be conservative and cautious when adopting new cryptographic algorithms.For example, the SIKE algorithm [13] was recently broken [14], even though it had already advanced to the fourth round of NIST PQC standardization after a significant amount of analysis.
The two conflicting goals mentioned above, that is, a fast but conservative transition, can be achieved through hybrid cryptographic algorithms.A hybrid cryptographic algorithm combines two distinct algorithms.The two component algorithms are used simultaneously and the security of the combined algorithm is reduced to that of the component algorithms [15].Therefore, the hybrid scheme should be secure if at least one of the two underlying components remains secure.Thus, the hybrid approach is effective when the security of a new primitive is not yet certain; however, the security of an old primitive is already in question [16].
Active research has been conducted on hybrid schemes that combine classical and PQC algorithms.For hybrid KEMs, Bos et al. proposed the hybrid KEM combining the Learning With Errors (LWE)-based Frodo algorithm and the classical Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol in 2016 [17].In 2021, Azarderakhsh et al. presented the first hardware implementation of a hybrid KEM comprising SIKE and ECDH [18].For hybrid digital signatures, Komarova et al. suggested two hybrid digital signature schemes in 2021 that combine CRYSTALS-Dilithium with either the Rabin or Elgamal signature scheme [19].Recently, Bindel et al. proposed various constructions for hybrid digital signature [15].
In this study, we focus on hybrid digital signatures.Let σ A (m) be a digital signature on message m using the signature scheme A. It is obvious that simple concatenation σ A (m)∥σ B (m) of individual signatures of scheme A and scheme B can be an effective hybrid signature that builds on the security of both A and B. This can also be realized through nesting one method in the other, e.g., σ A (m)∥σ B (σ A (m)).However, with these approaches, the signature length becomes the sum of those of the underlying signatures, which is undesirable in terms of the utilization of limited resources, such as network bandwidth.Therefore, a few alternatives have been proposed to merge signatures and redefine the signature generation and verification processes of the two underlying schemes [15].However, significantly revising the original form of the individual signatures may raise backward compatibility and regulatory conformance issues.Therefore, we aim to design a hybrid digital signature scheme that is compatible with each underlying individual signature scheme.
In this study, we propose a new hybrid digital signature construction method that combines two randomized digital signature schemes.Our construction satisfies the following properties: • The constructed hybrid signature is compact.That is, the hybrid signature length is less than the sum of those of the individual signatures.Furthermore, the computational overhead for this optimization is almost negligible.
• Selective verification is possible.When a hybrid signature σ AB (m) combining two methods A and B are given, a system that recognizes only the signature scheme A can verify the signature, guaranteeing an equivalent level of security to verify a single signature σ A (m).The same holds for the other scheme B. This property provides backward compatibility for a legacy system that only recognizes the classical signature scheme.It may also conform to the current regulations that have not fully standardized the PQC scheme yet.It may also enable a brand-new system to ignore the signature part related to an out-of-date signature scheme.1 • The proposed signature scheme is existentially unforgeable under an adaptive chosen message attack.The hybrid signature is secure even when one of the two component signature schemes is completely broken if only the other component remains secure.The remainder of this paper is organized as follows.
In Section II, we recall the formal definition of a digital signature scheme and provide a slightly modified version of the randomized signature scheme of interest.In Section III, we present a general framework for constructing a randomized hybrid signature scheme.Although we explain hybridization in the context of a combination of classical and PQC schemes, our construction is general, which can be used for classical-classical and PQC-PQC combinations.Section IV presents a specific example of the proposed hybrid method using two representative signature schemes: an Elliptic Curve Digital Signature Algorithm (ECDSA) as a classical signature scheme and Falcon as a post-quantum signature scheme.In Section V, we prove that the proposed signature scheme is existentially unforgeable under an adaptive chosen message attack, even if one of the underlying signature schemes is completely broken.For example, the hybrid ECDSA-Falcon is at least as secure as Falcon, even when ECDSA is completely broken.Section VI verifies the compactness of the proposed method and demonstrates that the computational overhead of our hybridization is almost negligible, on both a desktop PC and Raspberry Pi.Section VII discusses possible applications, extensions and limitations of the proposed method.Finally, Section VIII concludes the paper.

II. PRELIMINARIES: DIGITAL SIGNATURE
A digital signature is used to guarantee the security properties of transmitted data, such as authenticity, integrity, and nonrepudiation.Generally, a digital signature scheme comprises the following four algorithms: 1) ParamGen 1 λ : The system parameters are generated based on security parameter λ. 2) KeyGen 1 λ : A key pair (sk, pk ) is generated, where sk is a private key (a.k.a.secret key) and pk is a public key.3) Sign (sk, m): Given a private key sk and a message m, a signature σ on m is generated.4) Ver (pk, m, σ ): Given a public key pk, a message m, and a signature σ , it is verified whether σ is a valid signature on m signed by the legitimate user of sk corresponding to pk.
Among classical digital signature schemes, three classes are well known: (1) prime factorization-based schemes (such as RSA [20] and its probabilistic version, RSA-PSS [20]), (2) DLP-based schemes (such as Elgamal signature [21] and DSA [22]), and (3) elliptic curve discrete logarithm problem (ECDLP)-based schemes (such as ECDSA [23] and Modified ECDSA [24]).For post-quantum digital signature schemes, new signature schemes such as MQDSS [25], qTESLA [26], picnic [27], Falcon [9], CRYSTALS-Dilithium [8], etc., have recently been proposed.In this study, we consider randomized signature schemes whose Sign involves random value generation as follows (We denote this type of Sign as Sign ′ ): 1) Sign ′ takes sk and m as its inputs, where sk is a private key of legitimate user and m is a message to be signed.2) Sign ′ generates a uniformly random value k, and transforms k into r by computing r = T (k).T may be an identity function, where the transformation is just an assignment, i.e., r = k.3) Sign ′ calls subroutine rSign with sk, m, k, and r. a) rSign generates the remaining part of signature, s = (sk, m, k, r).b) rSign returns a pair of (r, s).4) Sign ′ outputs a signature σ = (r, s).Following the above conditions, in this study we consider signature schemes that include r transformed from k as part of the signature, such as the Elgamal signature [21], DSA [22], ECDSA [23], Modified ECDSA [24], picnic [27], Falcon [9], etc.In this study, S and S ′ denote the signature schemes composed of ParamGen, KeyGen, Sign, Ver and ParamGen, KeyGen, Sign ′ , Ver , respectively.In this section, we propose a general framework for constructing a hybrid signature scheme by using two individual randomized signature schemes.Fig. 1 shows two signature schemes that generate signatures separately.Let u be a signature scheme (u = A or B).The signature generation process Sign ′ u of u generates a uniformly random value, k u , and computes r u = T u (k u ).Subsequently, its subroutine rSign u computes s u = u (sk u , m u , k u , r u ) for a message m u with the private key sk u .When rSign u returns the pair (r u , s u ), Sign ′ u outputs it as the signature σ u = (r u , s u ).Fig. 2 shows the signature generation process Sign ′ AB of the hybrid signature scheme that combines schemes A and B.

Sign ′
AB generates a uniformly random value k and computes the triple (r A , r B , r) = T AB (k) using the merged transformation function T AB .rSign A and rSign B computes s A = A (sk A , m, k, r A ) and s B = B (sk B , m, k, r B ). Finally, Sign ′ AB outputs a signature σ AB = (r, s A , s B ).The merged transformation T AB should be designed such that r A and r B are derived from r uniquely and efficiently.Without loss of generality, we assume that len(r A ) < len(r B ), where len(x) is the length of the bit string x.Then, we define r and r A such that they satisfy r = r A ||r τ , where r τ is a random bit string with length len(r B )−len(r A ) and || is concatenation.Next, we define r B as r B = f (r), with a bijective function f : {0, 1} l → {0, 1} l satisfying f −1 (f (x)) = x, where l = len(r B ). Fig. 3 illustrates the signature verification process Ver AB of the hybrid signature scheme.Ver AB takes the signature σ AB = (r, s A , s B ) to be verified and recovers r A and r B from r using a transformation function T ′ AB corresponding to T AB .Now, (r A , s A ) and (r B , s B ) can be verified separately using Ver A and Ver B as follows: The verification algorithm Ver A for the signature scheme A verifies σ A = (r A , s A ) for m using public key pk A , and Ver B for the signature scheme B verifies σ B = (r B , s B ) for m using public key pk B .Ver AB combines the verification results of Ver A and Ver B , and rejects signature σ AB if one of the two signatures was not successfully verified.
Because the verification process of the proposed scheme accepts a hybrid signature only when both individual signatures are verified, we may expect the proposed scheme to guarantee the maximum security level among individual signature schemes A and B. This implies that the proposed scheme is secure even if one of the signature schemes is broken.This is formally proven in Section V.

IV. HYBRID FALCON-ECDSA
In this section, we present a specific example of the proposed hybrid signature construction using Falcon [9] and ECDSA [23] as the underlying PQC and classical signature schemes, respectively.

A. PRELIMINARIES 1) ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM (ECDSA)
ECDSA [22], [23] is a standard digital signature algorithm based on elliptic curves [28], [29].The security of Algorithm 1 ECDSA Signature Generation Input: Elliptic curve E(F q ), private key d, message m Output: Signature σ = (r, s) ECDSA is based on the computational hardness assumption for solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) [28], [29].Let E be an elliptic curve over a finite field F q and P ∈ E(F q ) be a point of order n.ECDLP is the problem of determining an integer k that satisfies Q = kP (0 ≤ k ≤ n − 1) when P and Q are given.It is widely believed that this problem cannot be solved in polynomial time.Compared with the RSA signature scheme, the size of the ECDSA signature is significantly shorter at the same security level.Algorithm 1 and Algorithm 2 illustrate the signature generation and verification processes of ECDSA, respectively.Algorithm 1 takes an elliptic curve, a private key, and a message as inputs.First, it chooses a uniformly random integer k ∈ [1, n − 1].In line 2, it performs a point multiplication, kP = (x 1 , y 1 ), and converts x 1 into an integer x1 .The algorithm computes r using modular reduction on x1 with modulus n.If r = 0, it restarts the signature generation process.Next, it computes s for the hashed message e in line 5.If s = 0, the signature generation process is restarted.Finally, signature σ = (r, s) is returned.Lines 1 to 3 of Algorithm 1 correspond to step 2 of Sign ′ .Lines 2 and 3 correspond to the transformation of k into r; that is, r = T (k) of Sign ′ .Lines 4 and 5 correspond to s = (sk, m, k, r) of rSign in step 3 of Sign ′ , where sk = d.
Algorithm 2 for signature verification takes an elliptic curve, a public key, a message, and a signature as inputs.First, it checks whether r and s are within the interval [1, n − 1].If any of the values are not within the interval, the verification fails.The algorithm then computes u 1 = ew mod n and u 2 = rw mod n using a hashed message e, w = s −1 mod n, and r.Next, it recovers point X = u 1 P + u 2 Q.If point X is a point at infinity, the verification fails.Finally, the algorithm computes v = x1 mod n where x1 is an integer converted from the x coordinate of X .If v = r, then the signature is accepted; otherwise, it is rejected.

2) FALCON
The Falcon signature scheme [9] was proposed by Fouque et al. in 2018 to ensure the security of digital signatures in post-quantum computing environments.It is a promising digital signature scheme and has become a candidate for Round 4 of the NIST post-quantum cryptography standardization process [30].Falcon is an attractive solution for resource-constrained environments as its signature generation and verification speeds are very fast.Falcon uses the GPV framework, a generic framework for building a secure hash-and-sign lattice-based signature scheme [31].In addition, it was improved by combining the GPV framework with NTRU lattices [32] and applying fast Fourier sampling [33].The security of Falcon is based on the computational hardness assumption for the short integer solution (SIS) problem [34] over NTRU lattices [35].
be chosen uniformly at random, where n ′ , m ′ , and q ′ are positive integers.The SIS problem is finding a nonzero integer vector z ∈ Z m ′ of the norm where β is a positive real number [36].Algorithm 3 and Algorithm 4 illustrate the signature generation and verification processes of Falcon, respectively.There are multiple possible parameter sets for Falcon.For simplicity, we explain the processes for Falcon-512 with a 120-bit classical security level and 108-bit quantum security level, following the original description in [9].
Algorithm 3 takes message m, private key sk = ( B, T), and acceptance bound ⌊β 2 ⌋ as inputs.First, in line 1, it generates a uniformly random salt r from {0, 1} 320 .The salt r is directly used as part of the signature in line 12.Algorithm 3 then hashes the concatenated string (r||m) to a point c.Next, the algorithm computes a preimage t of c using the fast Fourier transform (FFT), and it repeats fast Fourier sampling, z ← ffSampling n ′ (t, T), until it finds a sufficiently short vector s = (t − z) B satisfying ||s|| 2 ≤ ⌊β 2 ⌋.Using inverse FFT to s, it obtains two short polynomials (s 1 , s 2 ) such that s 1 + s 2 h = c mod (φ(x), q ′ ), where φ(x) = x n ′ + 1 is a cyclotomic polynomial and h is the public key.Finally, s 2 is compressed to a bitstring s, and the algorithm outputs a Falcon signature σ = (r, s).If len(s) ̸ = 8 • sbytelen − 328, the algorithm goes back to line 4 and repeats the process.Considering the description of Sign ′ in Section II, we can

B. HYBRID SIGNATURE USING FALCON AND ECDSA
In this section, we use the proposed framework described in Section III to construct a hybrid signature scheme using Falcon and ECDSA.Several possible parameter combinations exist based on the desired security level.In this study, we considered a hybrid signature scheme that combines Falcon-512 and ECDSA with a similar classical security level.Therefore, we selected ECDSA P-256, which has a 128-bit classical security level, according to [37].
Let σ E = (r E , s E ) and σ F = (r F , s F ) be the ECDSA and Falcon signatures, respectively.In the aforementioned combination of Falcon-512 and ECDSA P-256, the bit lengths of r F and r E should be 320 and 256, respectively, to satisfy len(r F ) > len(r E ).Therefore, we first explain the hybrid signature generation and verification processes for the case that len(r F ) > len(r E ), and then explain the other cases, len(r F ) = len(r E ) and len(r F ) < len(r E ).If the hybrid signature is composed of ECDSA and Falcon, it takes the form (r, s E , s F ). Hence, to enable signature verification using the process illustrated in Fig. 3, it should be possible to derive r E and r F from r. Considering the description of a merged transformation, T AB , in Section III, it is easy to see that ECDSA and Falcon correspond to the signature schemes A and B, respectively, because len(r E ) < len(r F ).According to T AB , r can be parsed into r = r E ||r τ , and r E can be recovered by taking len(r E ) leading bits from r. Next, r F can be computed by f (r) using a bijective function f .
We now provide a concrete example of f .Pseudorandom permutations (PRPs), such as a block cipher, are good candidates for f .However, using a single block of a block cipher may not coincide with the bit lengths r and r F .For example, the block length of the Advanced Encryption Standard (AES) [38] is 128 bits.Therefore, we used the counter mode of AES such that a 320-bit salt r F can be produced by XORing the 320-bit r and 320-bit keystream generated by AES block encryption operation.Alternatively, other length-preserving transforms, such as format-preserving encryption (FPE) [39], [40] may be used as a PRP.
Algorithm 5 presents the hybrid signature generation process.First, the algorithm takes message m to be signed, Falcon private key sk, Falcon bound ⌊β 2 ⌋, elliptic curve E(F q ), ECDSA private key d, and the length parameter λ P of PRP as inputs.In line 1, a uniformly random k is selected from [1, n − 1].The algorithm then computes r E and s E following the original ECDSA signature generation process in lines 2-5.Using r E , the algorithm generates r, the first part of the hybrid signature, in lines 6 and 7. Note that r E can also be recovered from r when the signature is verified, although r was generated from r E during the signature generation process.
Next, in line 8 of Algorithm 5, r F is computed by PRP with salt r, key {0} λ P , and initial counter {0} λ P .From lines 9 through 18, the Falcon signature part s F is computed, and the algorithm returns the hybrid signature (r, s E , s F ).For the hybrid signature generation process Sign ′ AB , that is, Sign ′ EF , in Fig. 2, k  The uniqueness of the random component r is crucial for the security of a randomized signature scheme.For example, it is known in ECDSA that if the same r is used to generate signatures for two distinct messages, the private key can be recovered [41].Therefore, we must examine the distributions of r, r E , and r F generated by the above construction.It is straightforward that the distribution of r E in Algorithm 5 is the same as that of r in the original ECDSA (Algorithm 1).Therefore, the proposed hybrid signature scheme does not affect the uniqueness of the r in the original ECDSA.We now examine the distribution of r F in Algorithm 5.
□ Let prob F r (z) be the probability that r = z in Algorithm 3. The distribution of r in the original Falcon is uniform.That is, prob F r (z) = 1/2 320 for all z ∈ {0, 1} 320 , and P F r = max z∈{0,1} 320 prob F r (z) = 1/2 320 .The uniqueness of r F in Algorithm 5 is guaranteed by the following theorem.
Theorem 1: Let prob H r F (z) be the probability that r F = z in Algorithm 5, and let P H r F = max z∈{0,1} 320 prob H r F (z).Then, P H r F ≤ 1/2 317 .Proof: Let prob H r E (z) be the probability that r E = z in Algorithm 5. We evaluate P H r E = max z∈{0,1} 256 prob H r E (z).Recall that in Algorithm 5, r E is derived from the x coordinate of point kP on elliptic curve E(F q ).There are (n − 1) candidates of kP, and the probability of occurrence of each candidate is 1/(n − 1).In the worst case, four distinct k's can be mapped onto the same r E because (1) there exist two distinct points (x 1 , y 1 ) and (x 1 , −y 1 ) for a valid x 1 , making the relation between k and x 1 a 2-to-1 mapping, except at most three extreme cases in which y 1 = 0; and (2) there can be two candidates for x 1 for a small r E ; that is, r E = x1 and r E = x1 − n, resulting in the relation between x1 and r E being a 2-to-1 mapping.(The case r E = x1 − 2n is not possible because the group order n satisfies n ≤ q + 1 + 1 √ q ≪ 2q according to Hasse's theorem for standard NIST prime curves whose cofactor is 1 [42].)This reasoning implies that P H r E ≤ 4/(n − 1) < 4/2 255 .Because the 64 random bits r τ are concatenated to r E to generate r in line 7 of Algorithm 5, P H r = P H r E × 1/2 64 .By combining this with Lemma 1, we see that P H r F = P H r = P H r E × 1/2 64 < 1/2 317 .□ From Theorem 1, there may be at most three bit losses in the security of r F by our construction.We may also easily compensate for this loss by slightly extending r and selecting r τ = {0, 1} 67 .Then, the distribution of r F satisfies P H r F ≤ 1/2 320 .Algorithm 6 illustrates the signature verification process of the hybrid signature scheme.The algorithm takes as input a message m, a signature σ = (r, s E , s F ), a Falcon public key pk, a Falcon bound ⌊β 2  ⌋, an elliptic curve E(F q ), an ECDSA public key Q, and the length parameter λ P of PRP.First, r is parsed into r E and r τ , and r F is recovered by computing PRP(r, {0} λ P , {0} λ P ).The algorithm then performs individual ECDSA and Falcon verification algorithms with (r E , s E ) and (r F , s F ), respectively.If the verification fails, the hybrid signature is rejected; otherwise, it is accepted as valid.
Next, we examine the selective verifiability of the proposed scheme.We assume that the recipient of the signature does not recognize the new Falcon algorithm, but recognizes only the classical ECDSA signature.Then, the recipient may ignore the third component s F of the signature and skip steps 2 and 4 in Algorithm 6.This can provide backward compatibility for legacy systems.It may also conform to current regulations that have not fully standardized PQC systems yet.In contrast, assume that the recipient wants to ignore ECDSA whose long-term security is in question owing to the quantum ECDLP algorithms.Then, the recipient may ignore the second component s E of the signature and skip steps 1 and 3.The computational complexity of this selective verification is almost the same as that of each individual verification, as demonstrated in Section VI.
Algorithm 5 and Algorithm 6 assumed the case len(r F ) > len(r E ).Now, we explain the cases where len(r F ) = len(r E ) and len(r F ) < len(r E ).If len(r F ) = len(r E ), we can eliminate line 6 in Algorithm 5 and revise line 7 to r ← r E .For signature verification, we can revise line 1 of Algorithm 6 to r E ← r.
When len(r F ) < len(r E ), the algorithms need to be changed slightly more.In Algorithm 5, lines 6 through 8 can be replaced as follows: where Trunc(r temp , len(r F )) is a truncation function that takes the len(r F ) leading bits from r temp .For the verification process in Algorithm 6, lines 1 and 2 can be replaced as follows: Finally, we examine the length-saving effect of the proposed hybrid signature construction.Because the construction above produces a hybrid signature (r, s E , s F ), we can say that r replaces (r E , r F ) in the simple concatenation of the two signatures, (r E , s E , r F , s F ).Because len(r) = max(len(r E ), len(r F )) and the size of (r E , r F ) is len(r E ) + len(r F ), the proposed scheme reduces the signature size by min(len(r E ), len(r F )).

V. SECURITY OF HYBRID SIGNATURE
In this section, we show that the proposed hybrid signature scheme is secure even when one of the two component  ⌋, an elliptic curve E(F q ), an ECDSA public key Q, the length parameter λ P of PRP Output: Accept or reject 1: Parse r into r = r E ||r τ 2: r F ← PRP(r, {0} λ P , {0} λ P ) 3: Verify (r E , s E ) using Algorithm 2. 4: Verify (r F , s F ) using Algorithm 4. 5: If any verification fails, reject the signature; otherwise, accept the signature signature schemes is completely broken if only the other component remains secure.For the security of the signature scheme, we use a slightly modified version of the definition in [20] and [43] as follows: Definition 1 (Forger of Signature Scheme): Assume that a forger F S for a signature scheme S = ParamGen, KeyGen, Sign, Ver is given the public key computed by ParamGen, KeyGen and a signing oracle access.F S can generate a message m i adaptively based on the previously queried message-signature pairs, {(m 1 , σ 1 ), . . ., (m i−1 , σ i−1 )}, then the signing oracle returns a signature σ i for m i .The goal of F S is to output a valid signature σ for message m that has never been queried to the signing oracle.The forger F S is said to (t, q S , ϵ)-break the signature scheme S using an adaptive chosen message attack if in at most t processing time and after at most q S signature queries to the signing oracle, it outputs a valid forgery with a probability of at least ϵ such that ⟨m, σ ⟩ ← F S pk, m 1 , σ 1 , . . ., m q S , σ q S .m / ∈ {m 1 , . . ., m q S } and Ver (pk, m, σ ) = accept.
Similarly, we define the security notion for a randomized signature scheme S ′ = ParamGen, KeyGen, Sign ′ , Ver .Definition 2 (Forger of Randomized Signature Scheme): A forger F S ′ is said to (t, q S , ϵ)-break the signature scheme S ′ = ParamGen, KeyGen, Sign ′ , Ver using an adaptive chosen message attack if in at most t processing time and after at most q S signature queries to the signing oracle, it outputs a valid forgery with a probability at least ϵ such that ⟨m, σ ⟩ ← F S ′ pk, m 1 , σ 1 , . . ., m q S , σ q S .m / ∈ {m 1 , . . ., m q S } and Ver (pk, m, σ ) = accept.
where λ ′ is the number of random bits required according to the security parameter λ.Definition 3 (Complete Forger): Assume that the forger F S ′ for a randomized signature scheme S ′ = ParamGen, KeyGen, Sign ′ , Ver with security parameter λ is given message m and fixed salt r that should be the first part of the signature.The forger is defined as a complete forger if with no signing query to the oracle, it outputs a valid forgery with probability 1, in at most poly(λ) processing time, such that Pr We denote the complete forger for the randomized signature scheme S ′ as F c S ′ .Note that a complete forger is a very powerful attacker that can produce the result of rSign(sk, m, k, r) without the knowledge about sk and k.In some cases, this may imply that this attacker can do something that even a private key owner cannot.For example, in ECDSA, computing s = k −1 (e + dr) mod n without k is not easy, even if d is given as well as m (equivalently, e) and r.This may involve solving ECDLP to find k such that the x-coordinate of kP is either r or r + n.
Next, we define a secure signature scheme.For this purpose, we use the security notion defined in [44].
Definition 4 (Secure Signatures [44]): A signature scheme S is existentially unforgeable under an adaptive chosen message attack if there is no forger who (t, q S , ϵ)-breaks S with non-negligible ϵ with polynomial t and q S .
In Section IV, we explained the proposed hybrid signature scheme that combines ECDSA and Falcon as classical and PQC signature schemes, respectively.We now show that no attacker can forge a hybrid signature σ = (r, s E , s F ) even if one of the signature schemes is completely broken, that is, there exists a complete forger for one of the schemes.Theorem 2: We assume that there exists a complete forger of Falcon, F c F .If there exists a forger F H using an adaptive chosen message attack who (t, q S , ϵ)-breaks the hybrid signature scheme, then there exists an attacker A E who (t + αq S + t(F c F )q S , q S , ϵ)-breaks ECDSA, where t(F c F ) is the execution time of F c F and α is a constant.Proof: From Definitions 1 and 2, an ECDSA signing oracle O E returns a signature σ E = (r E , s E ) on a message m received as a signing query.According to Definition 3, F c F , the complete forger of Falcon, can generate s F , which is the second part of the Falcon signature, for a given message m and a valid random value r F .Subsequently, A E can use F H and F c F as subroutines to forge an ECDSA signature as shown in Fig. 4. The details of the forgery process are as follows: 1) F H chooses a message m i , then requests a hybrid signature on m i to A E .A E will play the role of the signing oracle for the hybrid signature scheme.2) A E queries m i to the ECDSA signing oracle O E , then O E returns the ECDSA signature (r E,i , s E,i ). 3) A E computes r i ← r E,i ||r τ,i where r τ,i is a random bit string such that len(r τ,i ) = len(r F,i ) − len(max(r E,i )), and computes r F,i ← PRP r i , {0} λ P , {0} λ P .4) A E sends (m i , r F,i ) to F c F . 5) F c F generates the second part of a Falcon signature, s F,i , and returns the Falcon signature r F,i , s F,i .6) A E sends the hybrid signature (r i , s E,i , s F,i ) to F H . 7) A E iterates 1)-6) at most q S times until F H outputs a forged signature.8) Finally, F H outputs a valid message-signature pair (m, σ H ) = (m, (r, s E , s F )) where m / ∈ {m 1 , m 2 , . . ., m q S }. 9) A E outputs an ECDSA signature (Trunc(r, len(max(r E ))), s E ) on m.
It is obvious that the generated hybrid signature (r i , s E,i , s F,i ) in step 6) is valid, that is, it can be verified using Algorithm 6.In lines 1 through 2 of Algorithm 6, r E,i and r F,i are obtained by parsing r i and computing PRP(r, {0} λ P , {0} λ P ), respectively.Now, the individual verification for the Falcon signature (r F,i , s F,i ) and ECDSA signature (r E,i , s E,i ) will be successful.Therefore, F H cannot distinguish A E from an actual hybrid signature oracle.Clearly, the ECDSA signature returned in step 9) is valid.
The number of signature queries and success probability of A E are the same as those of F H , that is, they are q S and ϵ, respectively.Regarding the execution time, A E consumes (α + t(F c F ))q S time for the main loop in steps 1) through 6) for a constant α, in addition to t, the time required for F H .In conclusion, A E , the ECDSA attacker, t + α + t(F c F ) q S , q S , ϵ -breaks ECDSA.□ The theorem implies that even if Falcon is completely broken, that is, there exists a complete forger for Falcon, the hybrid scheme is secure if only ECDSA is secure.Theorem 3: Assume that there exists a complete forger of ECDSA, F c E .If there exists a forger F H using an adaptive chosen message attack who (t, q S , ϵ)-breaks the hybrid signature scheme, then there exists an attacker A F who t + t(F c E )q S + βq S log 2 q S , q S log 2 q S , ϵ (1 − 1/q S ) q Sbreaks Falcon, where t(F c E ) is the execution time of F c E and β is a constant.
Proof: From Definitions 1 and 2, a Falcon signing oracle O F returns a signature σ F = (r F , s F ) on a message m received as a signing query.From Definition 3, F c E , the complete forger of ECDSA, can generate s E , the second part of the ECDSA signature, for a given m and valid random value r E .Subsequently, A F can use F H and F c E as subroutines to forge a Falcon signature as shown in Fig. 5.The details of the forgery process are as follows: 1) F H chooses a message m i , then requests a hybrid signature on m i to A F .A F will play the role of the signing oracle for the hybrid signature scheme.2) A F queries m i to the Falcon signing oracle O F , then O F returns the Falcon signature (r F,i , s F,i ). 3) A F computes r i ← PRP −1 (r F,i , {0} λ P , {0} λ P ), then computes r E,i ← Trunc(r i , len(max(r E ))). 4) A F checks whether r E,i is valid, i.e., there is a point Otherwise, go back to step 2), and repeat 2)-4) at most log 2 q S times until a valid r E,i is obtained.
If no valid r E,i is obtained in log 2 q S trials, A F fails. 5) F c E generates the second part of an ECDSA signature, s E,i , and returns the ECDSA signature r E,i , s E,i .6) A F sends the hybrid signature (r i , s E,i , s F,i ) to F H . 7) A F iterates 1)-6) at most q S times until F H outputs a forged signature.8) Finally, F H outputs a valid message-signature pair (m, σ H ) = (m, (r, s E , s F )) where m / ∈ {m 1 , m 2 , . . ., m q S }. 9) A F outputs a Falcon signature PRP(r, {0} λ P , {0} λ P ), s F on m.
As in the proof of Theorem 2, the hybrid signature (r i , s E,i , s F,i ) generated in step 6) is valid, that is, it can be verified using Algorithm 6, and the individual verification of the Falcon signature (r F,i , s F,i ) and ECDSA signature (r E,i , s E,i ) will be successful.Therefore, F H cannot distinguish A F from an actual hybrid signature oracle.Clearly, the Falcon signature returned in step 9) is valid.
We now examine the success probability of A F .First, recall that the number of valid r E,i 's is very close to the number of distinct x coordinates of valid points on E(F q ), as the x coordinate is almost always r E,i in step 4) [41].(The case that the x coordinate is r E,i + n is rare.)Number of distinct x coordinates among valid points for a curve with group order n is very close to n/2, because there always exist two distinct y-coordinates for a fixed x except in a few extreme cases with y = 0. Therefore, the total number of valid r E 's is very close to n/2 ≈ q/2 ≈ 2 len(max(r E ))−1 for the standard NIST prime curves.Because r E,i computed in step 3) is a len(max(r E ))-bit uniformly random string, the test of the validity of r E,i in step 4) succeeds with a probability of 2 len(max(r E ))−1 /2 len(max(r E )) = 1/2.Because A F repeats steps 2) to 4) up to log 2 q S times, A F will get valid r E,i with the probability of 1 − 1 2 log 2 q S = 1 − 1/q S for each message m i ∈ {m 1 , . . ., m q S }.Consequently, q S valid message-signature pairs are generated with the probability of ϵ (1 − 1/q S ) q S , which is the success probability of A F .
It is easy to see that the execution time and the number of signature queries are t + t(F c E )q S + βq S log 2 q S and q S log 2 q S , respectively, for a constant β.
In conclusion, A F , the Falcon attacker, (t + t(F c E )q S + βq S log 2 q S , q S log 2 q S , ϵ (1 − 1/q S ) q S )-breaks Falcon.□ For q S ≥ 2, it holds that 1/4 ≤ (1 − 1/q S ) q S < lim q S →∞ (1 − 1/q S ) q S = 1/e.Therefore, the success probability of A F is reduced from that of F H by only a factor of at most 4.
Although the number of queries of A F is larger than that of F H by a factor of log 2 q S , the reduction is still valid because q S should be a polynomial according to Definition 4. This theorem implies that even if ECDSA is completely broken, that is, there exists a complete forger for ECDSA, the hybrid scheme is secure if only Falcon is secure.

VI. PERFORMANCE EVALUATION
In this section, the performance of the proposed hybrid signature scheme is evaluated.First, we compare the signature size of the proposed hybrid signature scheme with that of the naive hybrid approach, which concatenates two individual signatures.Second, we examine the computational overhead of the proposed hybrid signature scheme involving operations such as PRP.For the experiments, we constructed the proposed hybrid signature scheme using ECDSA P-256 and Falcon-512 as a classical-PQC combination, as described in Section IV.In addition, we considered PQC-PQC combinations to address the concern that all classical signature schemes will be broken in the near future.Although NIST is standardizing CRYSTALS-Dilithium, Falcon, and SPHINCS+ as post-quantum digital signature schemes, NIST is also evaluating additional signature schemes based on various problems, such as multivariate and code-based signatures [45].Therefore, we also considered the combinations involving additional post-quantum digital signature schemes.
Experiments were conducted using two different systems.The first system was a desktop PC with an Intel(R) Core(TM) i7-7700 CPU (3.60GHz) and 8GB RAM.The other system was a Raspberry Pi 3 Model B Rev 1.2 with an ARM Cortex-A72 MP4 CPU (1.2GHz) and 1GB RAM.We implemented the hybrid signature scheme using Mbed-TLS 3.1.0[48] for ECDSA P-256 and the reference implementations of Falcon-512 [49], UOV [50], SNOVA [51], and CRYSTALS-Dilithium [52] as building blocks.Because UOV and SNOVA support the parameter set satisfying NIST security level I, we used UOV-Is and SNOVA-(28, 17, 16, 2)-esk parameter sets corresponding to the security level.For CRYSTALS-Dilithium, we used the dilithium2 parameter set that satisfies NIST security level II because CRYSTALS-Dilithium did not support the parameter set for NIST security level I.
First, we evaluate the signature size and execution time for the ECDSA P-256 and Falcon-512 combination.The signature size of ECDSA P-256 is 64 bytes because len(r E ) = len(s E ) = 256 in a signature σ E = (r E , s E ), whereas the signature size of Falcon-512 is 666 bytes for an uncompressed version, where 40 bytes are for r F and 626 bytes for s F in a signature σ F = (r F , s F ). Therefore, the naive concatenation of ECDSA P-256 and Falcon-512 signatures consumes 730 bytes.By contrast, the size of the proposed hybrid signature is 698 bytes because the bit length of a hybrid signature is formulated as max(len(r E ), len(r F )) + len(s E ) + len(s F ).In the experiments, we also applied a compressed signature setting for Falcon provided by the Falcon reference implementation.According to this setting, the size of the Falcon signature is reduced slightly by compressing a polynomial that derives s F , and the signature size may vary depending on the private key, signed data, and random seed.This optimization reduces the signature sizes of both naive concatenation and proposed hybrid scheme.Table 1 presents the signature sizes of ECDSA, Falcon, naive concatenation, and proposed method in bytes.We measured the sizes of the signatures generated by each signing algorithm 1,000 times in the two systems, and the values in the table are averages.On the PC, because the signature sizes of ECDSA and Falcon were 64 and 655.15 bytes on average, the size of the naive concatenation was 719.15 bytes.The size of the proposed hybrid signature was 687.05 bytes, which is 4.46% (32 bytes) shorter than that of naive concatenation.The experimental results for the Raspberry Pi showed a similar trend.The signature sizes of ECDSA, Falcon, and naive concatenation are 64, 655.11, and 719.11 bytes on average, respectively.The proposed signature consumes 687.12 bytes, which is 4.45% (32 bytes) less than that of naive concatenation.
Table 2 lists the execution times required to generate and verify the signatures of ECDSA, Falcon, and the hybrid signature scheme in milliseconds.The values in the table are the averages of 1,000 measurements.On the PC, ECDSA, Falcon, and hybrid signatures were generated in 0.991 ms, 0.278 ms, and 1.278 ms, respectively.The signature generation time for naive concatenation is the sum of those for ECDSA and Falcon.Thus, the additional time required to generate a hybrid signature was 1.278 − 1.269 = 0.009 ms, which was 0.71% of the signature generation time of naive concatenation.On Raspberry Pi, signatures were generated in 10.334, 2.022, and 12.372 ms on average.Thus, the additional time required to generate a hybrid signature was 12.372 − 12.356 = 0.016 ms, which was 0.13% of the signature generation time of naive concatenation.
Next, we examine signature verification time.On the PC, ECDSA, Falcon, and hybrid signatures were verified in 1.974 ms, 0.028 ms, and 2.009 ms, respectively.The additional time required to verify a hybrid signature was 2.009 − 2.002 = 0.007 ms, which was 0.35% of the signature verification time of naive concatenation.On Raspberry Pi, the signature verification times were 20.602, 0.217, and 20.832 ms, respectively.and the additional time required for hybrid signature verification was 0.06% of the sum of individual verification times.Therefore, the experimental results demonstrate that the time overhead for the proposed hybrid signature generation and verification is almost negligible.We also evaluate the performance of the three PQC-PQC combinations.The computational overhead was almost negligible for all combinations.Therefore, we only provide the detailed data on signature size reduction.The first combination was a hybrid signature of UOV-Is and SNOVA- (28,17,16, 2)-esk.Table 3 presents the signature sizes of UOV, SNOVA, naive concatenation, and the proposed method in bytes.As shown in the table, the signature sizes of UOV and SNOVA are 96 and 106 bytes, respectively, and the proposed method reduces the signature size by 16 bytes (7.92%).
The second combination was a hybrid signature using UOV-Is and Falcon-512.Table 4 presents the signature sizes of UOV, Falcon, naive concatenation, and the proposed method in bytes.The results show that the proposed hybrid signature scheme reduced the signature size of naive concatenation by 2.13% on both systems.The final combination was a hybrid signature of CRYSTALS-Dilithium and Falcon. 2 Table 5 lists the signature sizes of CRYSTALS-Dilithium, Falcon, naive concatenation, and the proposed method in bytes.The signature size of CRYSTALS-Dilithium was 2452.00 bytes on both systems, while that of Falcon was 654.94 bytes on the PC and 654.96 bytes on Raspberry Pi.Thus, the proposed method reduces the signature size of naive concatenation by 1.03%.

VII. DISCUSSIONS
In this paper, we proposed a new hybrid signature construction method that combines two individual signature schemes.We instantiated the proposed method with the combination of ECDSA P-256 and Falcon-512, which are representative classical and post-quantum signature schemes, respectively.However, the proposed method is not limited to this specific combination.For example, we can construct a hybrid signature scheme with two classical signature schemes, such as DSA-ECDSA, or two post-quantum signature schemes, such as UOV-SNOVA, UOV-Falcon, and Dilithium-Falcon, as shown in Section VI.Additionally, it may be possible to construct a hybrid scheme using more than two signature schemes.Because the time invested in the security analysis of new PQC schemes is relatively short compared to that of classical signature schemes such as RSA and ECDSA, there are still concerns regarding the security of new PQC candidates, as we have already seen from the example of SIKE [14].To mitigate concerns about potential threats to post-quantum signature schemes, we can design a hybrid signature scheme using two PQC schemes and a classical scheme.This combination can also reduce the signature length because the salt in the hybrid signature is derived from the three salts in the underlying signatures.For example,

FIGURE 1 .
FIGURE 1. Signature generation processes of two individual randomized signature schemes, A and B.

FIGURE 2 .
FIGURE 2. Signature generation process of the proposed hybrid signature scheme.

FIGURE 3 .
FIGURE 3. Signature verification process of the proposed hybrid signature scheme.

▷
Reject signatures that are too long say that r in line 1 is the random value k in step 2 of Sign ′ , and T is the identity function.Lines 2-11 correspond to (sk = ( B, T), m, k = r, r).Algorithm 4 for signature verification takes message m, signature σ = (r, s), public key pk = h, and acceptance bound ⌊β 2 in line 1 corresponds to the random value k in Fig. 2, lines 2-3 and 6-8 correspond to the transformation, (r E , r F , r) = T EF (k).Lines 4-5 and 9-18 correspond to s E = E (sk E , m, k, r E ) and s F = F (sk F , m, k, r F ), respectively, where sk E = d, and sk F = sk = ( B, T).

Algorithm 5
Hybrid Signature Generation Input: A message m, a Falcon private key sk, a Falcon bound ⌊β 2 ⌋, an elliptic curve E(F q ), an ECDSA private key d, the length parameter λ P of PRP Output: Signature σ = (r, s E , s F ) 1: Select k ← R [1, n − 1] 2: Compute kP = (x 1 , y 1 ) and convert x 1 to an integer x1 3: Compute r E ← x1 mod n.If r E = 0, then go to step 1 4: Compute e ← H(m) 5: Compute s E ← k −1 (e + dr E ) mod n.If s E = 0, then go to step 1 6:

FIGURE 4 .
FIGURE 4. Construction of an ECDSA forger A E using a hybrid forger F H and a complete Falcon forger F c F .

FIGURE 5 .
FIGURE 5. Construction of a Falcon forger A F using a hybrid forger F H and a complete ECDSA forger F c E .

TABLE 1 .
Signature sizes of the ECDSA, Falcon, and hybrid signatures.

TABLE 2 .
Signature generation and verification times of the ECDSA, Falcon, and hybrid signatures.

TABLE 3 .
Signature sizes of the UOV, SNOVA, and hybrid signatures.

TABLE 4 .
Signature sizes of the UOV, Falcon, and hybrid signatures.

TABLE 5 .
Signature sizes of the Dilithium, Falcon, and hybrid signatures.