Hybrid Post-Quantum Cryptography Implementation Status #21
Description
📋 Project Goal
Enable Hyperledger Fabric to create and verify signatures using a hybrid cryptographic scheme combining:
- Classical: ECDSA (Elliptic Curve Digital Signature Algorithm)
- Post-Quantum: Dilithium or Falcon (NIST PQC standards)
This allows measuring performance impact of PQC on blockchain transactions.
✅ What Has Been Completed
1. Infrastructure Setup
A. HYBRID BCCSP Provider (bccsp/hybrid/hybrid.go)
- Status: ✅ Complete stub implementation
- What it does:
- Implements all 10 methods required by Fabric's BCCSP interface
- Currently delegates all operations to SW provider (ECDSA)
- Serves as foundation for future PQC integration
- Key methods:
KeyGen() // Generate cryptographic keys Sign() // Sign message digests Verify() // Verify signatures Hash() // Hash operations Encrypt() // Encryption (delegated) Decrypt() // Decryption (delegated)
B. HYBRID Factory (docker/compose/hybridfactory.go)
- Status: ✅ Implemented
- What it does:
- Registers HYBRID as a valid BCCSP provider type
- Follows Fabric's factory pattern (similar to SWFactory)
- Initializes keystores and creates HYBRID BCCSP instances
C. Factory System Integration
- Status: ✅ Integrated
- Modified file:
bccsp/factory/nopkcs11.go(during Docker build) - Changes:
// In initFactories() case "HYBRID": f := &HYBRIDFactory{} defaultBCCSP, err = initBCCSP(f, config) // In GetBCCSPFromOpts() case "HYBRID": f = &HYBRIDFactory{}
D. Custom Peer Docker Image
- Status: ✅ Built successfully
- Image:
custom-fabric-peer:2.5 - Build process:
- Clone Fabric 2.5 sources
- Inject HYBRID provider code
- Modify factory system with
sed - Compile peer binary
- Package in runtime image
- Size: ~2.5GB (includes build environment)
E. Docker Compose Configuration
- Status: ✅ Configured and tested
- File:
docker/compose/fabric-baseline-hybrid.yaml - Key settings:
environment: - CORE_PEER_BCCSP_DEFAULT=HYBRID - FABRIC_LOGGING_SPEC=INFO:bccsp=DEBUG
- Validation: Peer starts successfully with log:
default: HYBRID
⏳ What Remains To Be Done
Phase 1: Post-Quantum Algorithm Integration (2-3 days)
A. Add liboqs Library
# Add dependency in go.mod
go get github.com/open-quantum-safe/liboqs-go/oqsB. Implement PQC Key Generation
File: bccsp/hybrid/hybrid.go
import "github.com/open-quantum-safe/liboqs-go/oqs"
type HybridBCCSP struct {
sw bccsp.BCCSP
pqc *oqs.Signature // Add PQC signer
}
func (h *HybridBCCSP) KeyGen(opts bccsp.KeyGenOpts) (bccsp.Key, error) {
// 1. Generate ECDSA key (existing)
ecdsaKey, err := h.sw.KeyGen(opts)
// 2. Generate Dilithium key (NEW)
h.pqc.Init("Dilithium3", nil)
pqcPublic := h.pqc.GenerateKeypair()
// 3. Wrap both keys in HybridKey struct
return &HybridKey{ecdsa: ecdsaKey, pqc: pqcPublic}, nil
}C. Implement Hybrid Signing
func (h *HybridBCCSP) Sign(k bccsp.Key, digest []byte, opts bccsp.SignerOpts) ([]byte, error) {
// 1. Sign with ECDSA
ecdsaSig, err := h.sw.Sign(k.ECDSAKey(), digest, opts)
// 2. Sign with Dilithium
pqcSig, err := h.pqc.Sign(digest)
// 3. Combine signatures
hybridSig := CombineSignatures(ecdsaSig, pqcSig)
return hybridSig, nil
}Signature format (example):
[4 bytes: ECDSA length] [ECDSA signature] [PQC signature]
D. Implement Hybrid Verification
func (h *HybridBCCSP) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (bool, error) {
// 1. Parse combined signature
ecdsaSig, pqcSig := ParseHybridSignature(signature)
// 2. Verify ECDSA
validECDSA, _ := h.sw.Verify(k.ECDSAKey(), ecdsaSig, digest, opts)
// 3. Verify PQC
validPQC := h.pqc.Verify(digest, pqcSig, k.PQCKey())
// 4. Both must be valid
return validECDSA && validPQC, nil
}Phase 2: Key Management (1-2 days)
A. Extend MSP Certificate Structure
Problem: Current MSP certificates contain only ECDSA keys
Solution:
Current MSP:
msp/
keystore/
priv_sk ← ECDSA private key
Hybrid MSP:
msp/
keystore/
ecdsa_priv_sk ← ECDSA key
dilithium_priv_sk ← PQC key
signcerts/
cert.pem ← Contains both public keys
B. Modify Certificate Generation
File: docker/compose/generate-hybrid-certs.sh (to create)
#!/bin/bash
# Generate ECDSA key (existing)
cryptogen generate --config=crypto-config.yaml
# Generate Dilithium keys (NEW)
for org in org1 orderer; do
liboqs-keygen --alg Dilithium3 \
--out configs/${org}/msp/keystore/dilithium_priv_sk
doneC. Custom Key Type
// bccsp/hybrid/keys.go
type HybridKey struct {
ecdsaKey bccsp.Key
pqcPubKey []byte
pqcPrivKey []byte
}
func (k *HybridKey) Bytes() []byte {
// Serialize both keys
}
func (k *HybridKey) SKI() []byte {
// Combined Subject Key Identifier
}Phase 3: Protocol Integration (3-5 days)
A. Transaction Signature Updates
Files to modify:
core/endorser/endorser.go- Endorsement signaturescore/committer/txvalidator/validator.go- Signature verification
Changes:
// Before: Single ECDSA signature
signature := signer.Sign(proposal)
// After: Hybrid signature (transparent)
signature := hybridSigner.Sign(proposal) // Returns combined sigB. Block Signature Updates
File: orderer/common/blockcutter/blockcutter.go
// Ensure block metadata includes hybrid signatures
block.Metadata.Signatures = hybridSignaturesC. Configuration Updates
File: core/ledger/kvledger/txmgmt/validation/validator.go
// Add hybrid signature validation logic
func (v *Validator) ValidateAndPrepareBatch(...) {
for _, tx := range block.Transactions {
// Validate hybrid signature
valid := hybridBCCSP.Verify(tx.Signature, tx.Payload)
}
}Phase 4: Testing & Validation (2-3 days)
A. Unit Tests
// bccsp/hybrid/hybrid_test.go
func TestHybridSign(t *testing.T) {
hybrid := NewHybridBCCSP(...)
key, _ := hybrid.KeyGen(...)
sig, err := hybrid.Sign(key, digest, nil)
assert.NoError(t, err)
assert.True(t, len(sig) > 70) // ECDSA (~70) + Dilithium (~2420)
}
func TestHybridVerify(t *testing.T) {
// Test signature verification
}B. Integration Tests
# Test end-to-end transaction flow
cd tests/integration
./test_hybrid_transaction.shTest scenarios:
- Create channel with hybrid signatures
- Deploy chaincode with hybrid endorsement
- Invoke transaction and verify hybrid signatures in block
- Query ledger and validate all signatures
C. Performance Benchmarking
# Run Caliper benchmark comparing:
# 1. ECDSA baseline
# 2. HYBRID (ECDSA + Dilithium)
# 3. PQC-only (future)
cd simulations
./benchmark_hybrid.shMetrics to collect:
- Transaction latency (ms)
- Throughput (tx/sec)
- Signature size (bytes)
- CPU usage (%)
- Memory consumption (MB)
📊 Implementation Timeline
| Phase | Task | Estimated Time | Complexity |
|---|---|---|---|
| 1A | Add liboqs dependency | 2 hours | Low |
| 1B | Implement PQC KeyGen | 4 hours | Medium |
| 1C | Implement hybrid Sign | 6 hours | Medium |
| 1D | Implement hybrid Verify | 4 hours | Medium |
| 2A | Extend MSP structure | 4 hours | Medium |
| 2B | Modify cert generation | 6 hours | High |
| 2C | Create HybridKey type | 3 hours | Low |
| 3A | Update transaction flow | 8 hours | High |
| 3B | Update block signatures | 4 hours | Medium |
| 3C | Update validation logic | 6 hours | High |
| 4A | Write unit tests | 6 hours | Medium |
| 4B | Integration tests | 8 hours | High |
| 4C | Performance benchmarks | 6 hours | Medium |
| TOTAL | 67 hours (~8-10 days) |
🎯 Current System Capability
What Works Now
✅ Peer starts with HYBRID provider
✅ Provider is registered in factory system
✅ All BCCSP methods are implemented (delegating to ECDSA)
✅ Docker build system is operational
✅ Network configuration is correct
What Doesn't Work Yet
❌ No actual PQC signatures (still using ECDSA only)
❌ No Dilithium/Falcon key generation
❌ No hybrid signature format defined
❌ Certificates contain only ECDSA keys
❌ No performance benchmarks available
🚀 Next Immediate Step
Start with Phase 1A: Integrate liboqs library
# 1. Update bccsp/hybrid/hybrid.go to import liboqs
# 2. Update Dockerfile to install liboqs system library
# 3. Test basic Dilithium key generation
# 4. Implement hybrid Sign() method
# 5. Test with simple unit testExpected outcome: Peer can generate and verify hybrid signatures locally, ready for full protocol integration.
📚 References
Document Version: 1.0
Last Updated: December 27, 2024
Status: Infrastructure Complete, PQC Integration Pending