A Novel PoW Scheme Implemented by Probabilistic Signature for Blockchain

PoW (Proof of Work) plays a significant role in most blockchain systems to grant an accounting right over decentralized participants and ensure tamper resistance. Though hash functions are generally exploited for PoW due to their merits on summering, anti-collision, and irreversibility, they cannot certify that the bookkeeper is exactly the worker. Thereafter, such insistence may lead to abuse or even embezzlement of computing power for the benefit of malicious miners. To preserve the functionality of PoW but also bind the miners’ signing keys with their works, we build a post-quantum PoW scheme by changing the approximate closest vector norm for probabilistic NTRUSign. Different from the schemes based on hash functions, our scheme takes signing as the proof of work where signature verification is just the evidence of block reward. We also presented a method to adjust the difficulty of signing by modifying the probability of generating a correct signature. The performance of our scheme is also analyzed theoretically and experimentally, which implies its practicability and advantages.


Introduction
Blockchain is now an important carrier of electronic money due to its advantage of tamper resistance. In addition to the field of electronic cash [1], academia [2][3][4][5] also suggests using blockchain to combat cybercrime, curb network rumors, or make the IoT (Internet of Things) more credible. Thanks to the difficulty of a hash collision, hash function-based PoW schemes are generally deemed secure and reliable for digital currencies [6]. However, Wang's team [7] has already realized a rapid collision for MD5 (Message-Digest Algorithm 5) and SHA-1 in 2004 and 2005, which implies the vulnerabilities of other hash functions and also the fragility of most PoW. Moreover, with the advent of the quantum era, the consensus mechanism originally used in the blockchain is now facing more challenges. As explored by Zhang et al. [8], Gao et al. [9], Fernández-Caramès et al. [10], and Li et al. [11], there is a great gap between the development of blockchain and its resistance against quantum machines.
As for space occupation, the size of each block is quite limited within blockchains. Taking BTC (bitcoin) for example, a block can only be generated smaller than 1 M bytes to ensure the efficiency and security of the chain. When exploiting the hash function to achieve PoW, the node who wins the right to generate a block must write a nonce together with his reward in it. These data will inevitably cause waste of storage if the block is small. To address such issue, Xiao et al. [12] suggested replacing the hash puzzle (generating a specific hash value by changing the nonce) by solving the SAT (Propositional Satisfiability) problem as a competition, Liu et al. [13] presented a PoW scheme based on ECDLP (Elliptic Curve Discrete Logarithm Problem), while Shahriar et al. [14] exploited parallel mining instead of solo mining for PoW which also accelerated the rate of block generation.
In consideration of the aforementioned problems, we base the security of PoW on a well-studied problem named appr-CVP (approximate Nearest Vector Problem) [15] over lattice for block generation. Such a problem is provided with the merit of anti-quantum whose difficulty can also be adjusted by changing the precision of approximation. Thanks to the reduction between NTRUSign (Signature Protocol of Number Theory Research Unit) and appr-CVP, we take signing as the proof of work to testify the right of block generation. Combing the processes of signing with mining also brings about a significant property that the bookkeeper cannot usurp unauthorized computing powers unless exposing his secret key. To mimic the capacity of dynamic block generation rate as in bitcoin, our scheme is capable of controlling the probability of signing success for NTRUSign [16]. The core concept of our scheme is to carry out signing and mining at the same time, implying that the miners' signing keys are bounded with their works and their reward records can be omitted in blocks. Besides, the signatures can be verified in batches, thus the authenticity of the block can also be quickly verified without tracing the sources along with the hash values block by block.
It is worth mentioning that our scheme is not a trivial combination between PoW and NTRUSign. In the original NTRUSign scheme, the author only estimated the success rate of signing, without any detailed analysis of the range probability for correct signature. Based on NTRUSign, we carefully analyzed the distribution of the signing success and exploit such distribution to construct our scheme which replaces the hash puzzle. During the process of derivation, we used the joint distribution of multiple independent exponential distributions to manipulate the distribution parameters after signing, thus the parameters can be well-fitted via burr distribution [17] in the gamma function family. We also programmed the entire signing process in C language to verify the reliability of such distribution. Based on mathematical analysis, the cumulative probability function of the burr distribution [18,19] was practically used to select the parameters which coordinate with an expected workload, as verified in our experiment.
For clarity, we will first take BTC as an instance to present related concepts of PoW as well as the construction of NTRUSign.
PoW: The PoW technology used in Bitcoin was proposed by Satoshi Nakamoto to ensure that the distributed system can achieve even unification in an untrusted environment. Within each Bitcoin block, the hash value of all transactions needs to be included as the root of a Merkle tree [20] together with a nonce, the hash value of its parent block, and some parameters such as timestamps.
To pack a block according to the protocol, each node should calculate the hash value of the block header appended with a nonce. When the generated hash value is smaller than a certain value, the packaging will succeed. During the packing process, a specific threshold can be designated to ensure the difficulty of packing, which is related to blocking speed due to the uniform distribution of output hashes.
The primary reason for choosing the hash puzzle as the way of block generation is because the hash function is irreversible and collision-resistant while summarizing the data. The anti-collision feature can mainly be described as: for a message A, the hash operation H returns a HðAÞ, while the probability of finding another message B with the same value is bounded by PðHðAÞ ¼ HðBÞjA 6 ¼ BÞ , 1=2 256 . Therefore, to construct a valid hash value, the adversary can only resort to exhaustive enumeration. In BTC, the problem of scrambling for accounting rights is solved by the above characteristic of the hash puzzle. Suppose that we use SHA-256 to generate a hash value with n prefixed 0 bits, then each participant can only exhaust the random nonces to achieve a valid hash value since the probability is just 1=2 n , it can be seen that it is almost impossible for two participants to complete the puzzle at the same time while completing for accounting right.
NTRUSign: The scheme of NTRUSign was proposed by Hoffstein, based on the approximate nearest vector problem over a lattice. It maps a message digest to a random point in a 2N-dimensional space and solves the appr-CVP problem by finding its nearest lattice point. Thus, lattice point can be used as the signature. The authenticity of the signature can be verified by estimating the distance between the coded message and the signature.
In Hoffstein's scheme, the signer can use the shortest vector basis as his private key and easily find the nearest lattice point via this basis [21]. The public base is an inferior base with a Hadamard ratio of less than 0:1 after elementary transformation, which is can be deemed as the verifying key. It is NP-hard to solve appr-CVP under the inferior base that the verifier cannot forge the signature but quickly verify it. The security of NTRUSign was also proofed in different situations in Hoffstein's paper.
To generate the signature, we use rounding to map the message digest on the rational field to obtain an approximate lattice point. The error of the rounding is the distance to detect whether the signature is valid. Using the Euclidean center norm for expression, we found that though the discarded signatures obey gamma distribution as a whole, specific distributions are still different. In the next chapter, we will introduce the mathematical background and solve the above problem of distribution in Chapter 3, then use gamma distribution to achieve controllable probabilistic signatures.

Mathematical Background
The protocol suite of NTRU works over the quotient ring R=qR, for R ¼ Z½X =ðX N À 1Þ. There are two polynomials f 2 R; g 2 R whose orders are N À 1 and can be mulitiplied via where ðf gÞ k ¼ P iþjkðmodNÞ f i Á g j ð0 k N Þ. For each q 2 Z and h 2 R, the set M h;q ¼ fðu; vÞ 2 R 2 jv u Ã hðmodqÞg is an R-module of rank 2 (M h;q is also a lattice of 2N-dimensions) while all elements of R can be represented as f ¼ P N À1 i¼0 r i X i . Therefore, the length of f is naturally measure as the centered Euclidean norm of its coefficient vector that . The norm imposed between two elements on M h;q , or more generally on ðu; vÞ 2 R 2 , is thus the component-wise Euclidean norm jjðu; vÞjj 2 ¼ jjujj 2 þ jjvjj 2 . Also, it is obvious that f j j j j ¼ 1 Noting that d f numbers of the coefficients in f should be set to 1 while the rest coefficients are 0. Then, the norm of it is jjf jj ¼ ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi Definition 1: The real-valued function of R n jj Á jj is a vector norm, which satisfies: (1) Positive definiteness: jjxjj ! 0; and jjxjj ¼ 0 only when x ¼ 0.
In our research, we will use some basic probability distributions to analyze the Euclidean center norm of the approximate shortest vector. That is to say X $ ExponentialðÞ for P N i¼1 X i $ gammaðc; kÞ, and the probability density function of the burr distribution over the generalized gamma burr distribution is defined as Then we change the scale of the burr to to get Correspondingly, the corresponding cumulative distribution function is From the next chapter, we will begin to construct the overall algorithmic inference process.

Algorithm Design
In this chapter, we will introduce the construction of NTRUSign in detail and analyze its probability distribution. NTRUSign's basic operations are addition and multiplication over a polynomial ring, so the algorithm is very efficient. Meanwhile, the signature is quantum-resistant because it is based on a lattice puzzle. Therefore, the scheme is more secure than the hash puzzle in the blockchain.

The Proposed PoW Scheme Combined with Signing
Firstly, the message should also be rounded to its nearest integer. For any message a 2 Q, denote a ½ as the rounding of a, where a ½ ¼ a À a f g for a f g 0:5. Similarly, as for polynomial f , f ½ and f f g are respectively obtained by carry out the the same operation on its coefficients.
The algorithm can be mainly divided into three steps, that 1) KeyGeneration: ðPk; SkÞ KeyGenðN; q; d f ; f g ; S; tÞ 1. Input initial integers N ; q; d f ; d g ; S ! 0 as security parameters and a state t ¼ "standard" or "transpose".
2. Generate S private lattice bases and one public lattice basis to execute the following process.
Let i ¼ S, and i ! 0, then (a) randomly select f and g 2 R, where the number of 1 in those polynomials are d f and d g respectively; (b) find a pair of polynomials F; G 2 R with small coefficients, satisfying f ÃG À FÃg ¼ q;

Release the public key
3. Verify the validity of the signature by computing b ¼ jjðs; s Ã h À mðmodqÞjj:If b ! U, then regenerate D to sign. And return ðD; sÞ otherwise.
According to the above signature process, it is clear that the success probability of signing is related to the Euclidean center norm of ðs; s Ã h À mðmodqÞ. In the following, we will analyze the distribution of this norm.

Functional Analysis of NTRUSign's Cumulative Probability
During the signing process, we intend to find a set of approximate vectors x; y ð Þ 2 R such that Using the private base we can compute Theorem 1: If f Ã G À g Ã F ¼ q and h ¼ f À1 Ã g, then s Ã ðg; GÞ s Ã hðmodqÞ.
Proof : Since Then, m % s Ã ðg; GÞ s Ã hðmodqÞ: To obtain the distribution of the Eq. (7), we can also assume that the distributions of X and Y are uniform distributions between ðÀB; BÞ, thus Eq. (7) can be approximately expressed as According to Theorem 1, Eq. (11) can be expressed as ð1=NÞjjajjÃ P ; i , j j , N ðX i À X j Þ 2 , for a is constant.
We now know that X is a uniform distribution between ðÀB; BÞ. Let R ¼ X i À X j ; the probability distribution of R is And the distribution Z ¼ R 2 can be obtained as Using the exponential distribution: f ðx; 2 to approximately represent the original R distribution, it can be observed that the difference between the two distributions is insignificant as in Fig. 1.
Then we can approximate jjð0; mÞ À ðs; s Ã hðmodqÞÞjj 2 as the result of adding multiple independent exponential distributions (with different parameters). Obviously, the resulting distribution lay within the class of the gamma distribution family, so we can use the burr distribution to fit the distribution function.
According to simulation, the cumulative distribution function can be obtained as Therefore, when the success probability of the singing needs to be less than P, we only have to set P FðU 2 Þ and adjust U to control the probability of a successful signature.

Application in Blockchain
In this section, we will introduce how to control the success rate of singing by changing the threshold of U in NTRUSign's. In summary, the probability distribution of the signature will be mainly explored.
If a participant wants to generate a legal block, he should use NTRUSign to generate a successful signature for the transaction ledger. In Fig. 2, it can be shown that if we use the NTRUSign scheme, reward records are no longer needed.
In practice, the validity of the block signature should be verified before billing. Once the signature is valid, the reward record can be automatically reduced from the corresponding block (because the signing is computed by the rewarded participant), thus adding the consumption records together to generate a general ledger. The process of grabbing block generation rights is as below. 2. According to 1=2 n ¼ P ¼ 1 À ½1 þ ðU 2 =62000Þ 22:4179 À0:0799 to adjust U .
For now, we have shown how to use NTRUSign to replace the hash puzzle with the same capacity of PoW. In the next chapter, we will analyze the above scheme to validate its security and corecctness.

Experiment and Analysis
To verify the reliability of our scheme, we should prove that the above probability function is very close to the actual experimental probability distribution.
We first employed the C language to program the signing algorithm of NTRUSign and set the security parameters as N ¼ 251; q ¼ 128; d f ¼ 73; d g ¼ 71; S ¼ 0; t ¼ 00 standard 00 . Then, we signed 6 million sets of data and recorded the values of jjð0; mÞ À ðs; s Ã hðmodqÞÞjj 2 . Comparing with the burr distribution with the actual experimental data distribution we got their difference as in Fig. 3: It can be seen that our predicted distribution is similar to the experimental result. When jj Á jjis less than a certain value, their difference can be simply ignored.
To verify the accuracy of our experimental distribution, we signed 500,000 sets of data once again and counted the theoretical boundary of U according to Eq. (11) for P ¼ 1=2 n . Meanwhile, the experimental results which are smaller than the boundary are also counted. As shown in Tab. 1.  The experimental results demonstrated that the theoretical success probability is slightly greater than that of actual probability. However, since the conversion rules of the two are the same, it is feasible and secure when designing the data.

Conclusions and Open Problems
A novel PoW scheme combind with probabilistic signing was proposed in this paper. Our scheme can not only replace the hash puzzle in blockchain but also achieved fast block verification. However, there are still some problems to be addressed in the future.
Firstly, the probability distribution of successful singing is based on a set of commonly used parameters, without considering any possible disturbance (e.g., S ¼ 0). Therefore, the relationship between the probability distribution and the secret key is not accurately obtained.
Secondly, this scheme has not implemented bathing signing to replace the PoW yet. With the advent quantum era, more and more probabilistic signing schemes will be based on lattices, so it is necessary to find a scheme that can perfectly fit parallel computing.
Thirdly, NTRUSign may expose the private lattice base [22] after multiple signings, which is considered the most significant flaw of it. Moreover, since the secret key of our scheme is only used to prove the workload, how to combine it with the function of transactions signing should be further studied.