This repository provides an implementation and experimental study of Secure Code Signing using Ring-Tesla Signatures β a lattice-based, post-quantum digital signature scheme.
It is based on the research paper:
π βSecure Code Signing Using Ring-Tesla Signatureβ by Shaurya Pratap Singh and Brijesh Kumar Chaurasia
Software distribution (firmware, operating systems, mobile apps, and containers) requires strong protection against tampering and forgery.
π Code Signing ensures:
- Integrity β Code has not been altered
- Authenticity β Confirms the identity of the signer
However, traditional methods (RSA/ECC) are vulnerable to quantum computing attacks.
To overcome this, we propose Ring-Tesla Signature based Code Signing β a post-quantum secure, efficient, and scalable solution.
- Cyber threats (malware injection, supply-chain attacks) are on the rise.
- RSA & ECC will be broken by quantum computers.
- Need a future-proof cryptographic signature that is:
β Efficient
β Scalable
β Quantum-resistant
βοΈ Enhanced Security β Protects against forgery & tampering
βοΈ Post-Quantum Resistance β Lattice-based signatures secure against quantum attacks
βοΈ Efficiency β Fast key generation, signing, and verification
βοΈ Scalability β Supports IoT, OS, firmware, and enterprise software
βοΈ Interoperability β Compatible with existing crypto libraries and standards
The architecture of the Code Signing System (CSS) includes:
- Code Signing System (CSS) β Signs submitted code using private keys
- Certification Authority (CA) β Issues certificates to verify signerβs identity
- Timestamp Authority (TSA) β Adds trusted timestamp during signing
- Verifier β Confirms signature validity before execution
- Trust Anchors β Root public keys securely stored for verification
flowchart TD
A[Developer] --> B[Code Signing System]
B --> C[Certification Authority]
B --> D[Timestamp Authority]
B --> E[Verifier]
E --> F[End User]
function KeyGeneration(Ξ», a1, a2):
s, e1, e2 β Gaussian Distribution
if CheckE(e1) = 0 or CheckE(e2) = 0:
Restart
t1 = a1s + e1 (mod q)
t2 = a2s + e2 (mod q)
return (SecretKey = (s,e1,e2), PublicKey = (t1,t2))
function Sign(message Β΅, a1, a2, s, e1, e2):
y β Random sample from Rq
v1 = a1*y (mod q)
v2 = a2*y (mod q)
cβ² = H(Β΅ || v1 || v2)
c = Encode(cβ²)
z = y + s*c
w1 = v1 - e1*c (mod q)
w2 = v2 - e2*c (mod q)
if rejection check fails:
Restart
return (z, cβ²)
function Verify(message Β΅, signature (z,cβ²), a1, a2, t1, t2):
c = Encode(cβ²)
w1 = a1z - t1c (mod q)
w2 = a2z - t2c (mod q)
cβ²β² = H(Β΅ || w1 || w2)
if cβ² = cβ²β² and z is valid:
return ACCEPT
else:
return REJECT
| Message Size | KeyGen (ms) | Sign (ms) | Verify (ms) | Failures |
|---|---|---|---|---|
| 500 KB | 0.008 | 24.66β39.50 | 6.99β14.33 | 20β29 |
| 1000 KB | 0.007β0.008 | 23.53β42.53 | 6.96β13.67 | 23β26 |
| 1500 KB | 0.008β0.009 | 25.85β34.64 | 7.13β13.68 | 19β32 |