pith. sign in

arxiv: 2606.23003 · v1 · pith:NTS465WDnew · submitted 2026-06-22 · 💻 cs.CR

VCT: A Verifiable Transcript System for LLM Conversations

Pith reviewed 2026-06-26 08:19 UTC · model grok-4.3

classification 💻 cs.CR
keywords verifiable transcriptLLM conversationMerkle treestate transitionnon-repudiationintegritycryptographic auditnon-linear logs
0
0 comments X

The pith

VCT abstracts non-linear LLM conversation operations into account-level authenticated state transitions using a three-tier Merkle structure and joint signatures.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a Verifiable Conversation Transcript system that models complex LLM interactions such as re-prompting, regeneration, deletion, and multi-device concurrency as sequences of authenticated state changes. It builds branch-level hash chains from Q&A pairs, aggregates them into session Merkle roots, and then into an account-level root signed jointly by user and server. A serialized transition protocol with deletion barriers prevents conflicts, while a deterministic merge protocol handles concurrent updates. Incremental denial checks and a gossip protocol let devices detect server-induced forks and produce non-repudiable evidence. Under standard cryptographic assumptions this yields integrity, consistency, shareability, and non-repudiation for forensic and compliance use cases.

Core claim

VCT abstracts complex non-linear LLM semantic operations into account-level authenticated state transitions. Atomic Q&A pairs form branch-level hash chains; branch tails aggregate into session-level Merkle roots; all session roots aggregate into an account-level Merkle root anchored by joint user-server signatures. A serialized state transition protocol with deletion barriers eliminates conflicts between deletion and modification, complemented by a deterministic state-merge protocol that preserves concurrent non-deletion incremental operations. Incremental denial checks and a gossip protocol enable asynchronous devices to detect view forks and generate non-repudiable forensic evidence. Secur

What carries the argument

Three-tier cryptographic data structure (branch hash chains to session Merkle roots to account Merkle root with joint signatures) together with serialized state-transition protocol using deletion barriers and deterministic state-merge protocol.

If this is right

  • Account-level conversation records remain consistent and tamper-evident even when users perform re-prompting, regeneration, deletion, or selective sharing.
  • Concurrent non-deletion operations from multiple devices merge deterministically without requiring additional trust beyond the cryptographic primitives.
  • Asynchronous user devices can autonomously detect server-induced view forks and generate non-repudiable evidence via the gossip protocol.
  • Security metadata adds only 0.9 percent storage overhead for realistic conversation sizes while keeping core cryptographic operations in the sub-millisecond to low-millisecond range.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same state-transition model could be applied to other non-linear interaction logs such as collaborative document editing or version-controlled code repositories.
  • Selective sharing of sub-branches may allow users to prove specific conversation segments in audits without exposing the entire history.
  • Integration with existing compliance frameworks could reduce reliance on centralized logging servers for regulated AI services.

Load-bearing premise

The serialized state transition protocol with deletion barriers and the deterministic state-merge protocol correctly resolve all conflicts arising from non-linear operations without introducing new inconsistencies.

What would settle it

A concrete counter-example in which a malicious server produces two distinct but internally consistent account views after a sequence of concurrent deletions and regenerations that both pass the denial-check and gossip verification steps.

Figures

Figures reproduced from arXiv: 2606.23003 by Feihong Li, Jiali Zheng, Jiayue Liu, Ruilin Xing, Wanzhi Xie, Wei Liu.

Figure 1
Figure 1. Figure 1: Hash chain structure of Q&A nodes in the interaction layer [PITH_FULL_IMAGE:figures/full_fig_p017_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Three-Layer Authenticated Data Structure of VCT [PITH_FULL_IMAGE:figures/full_fig_p018_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Account-State Transition for New Session Creation [PITH_FULL_IMAGE:figures/full_fig_p020_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Account-State Transition for Message Appending [PITH_FULL_IMAGE:figures/full_fig_p023_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Account-State Transition for Branch Creation [PITH_FULL_IMAGE:figures/full_fig_p024_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Account-State Transition for Session Deletion [PITH_FULL_IMAGE:figures/full_fig_p025_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Merge scenarios on the same conversation. [PITH_FULL_IMAGE:figures/full_fig_p028_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Merge scenarios on the same conversation. [PITH_FULL_IMAGE:figures/full_fig_p029_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Minimal-state operation latency (N = 50, synthetic payload). Account updates (in￾cluding merge) report end-to-end latency Te2e. Gossip and sharing are measured as standalone primitives. Share operations use 2 nodes per trial without owner proofs. As shown in [PITH_FULL_IMAGE:figures/full_fig_p047_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Protocol latency breakdown of core update operations. This figure exclusively [PITH_FULL_IMAGE:figures/full_fig_p047_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Scalability trends for account-root-modifying operations ( [PITH_FULL_IMAGE:figures/full_fig_p048_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Scale experiment for verification-oriented operations ( [PITH_FULL_IMAGE:figures/full_fig_p049_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Storage overhead and Merkle proof size: (a) security metadata volume; (b) account [PITH_FULL_IMAGE:figures/full_fig_p050_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: Real-payload evaluation: latency comparison between synthetic and real workloads. [PITH_FULL_IMAGE:figures/full_fig_p051_14.png] view at source ↗
read the original abstract

Large language model (LLM) interaction records are increasingly vital in digital forensics and compliance auditing. However, traditional linear tamper-evident logs fail to capture the inherent non-linear evolution of LLM conversations, such as re-prompting based on historical queries, response regeneration, session deletion, multi-device concurrency, and selective sharing. To address this issue, this paper proposes Verifiable Conversation Transcript (VCT), which abstracts complex non-linear LLM semantic operations into account-level authenticated state transitions. VCT constructs a three-tier cryptographic data structure: atomic Q&A pairs form branch-level hash chains, branch tails aggregate into session-level Merkle roots, and all session roots are further aggregated into an account-level Merkle root anchored by joint signatures from both the user and the server. VCT introduces a serialized state transition protocol with deletion barriers to eliminate conflicts between deletion and modification, complemented by a deterministic state-merge protocol to preserve concurrent non-deletion incremental operations. Furthermore, incremental denial checks and a gossip protocol enable asynchronous user devices to autonomously detect view forks caused by malicious servers and generate non-repudiable forensic evidence. Security analysis demonstrates that, under standard cryptographic assumptions, VCT guarantees the integrity, consistency, verifiable shareability, and non-repudiation of account-level conversation records. Evaluation of a Python prototype shows that the cryptographic latency of core operations is within sub-millisecond to low-millisecond ranges. Under a realistic configuration with 21 KB of text, security metadata introduces a negligible storage overhead of only 0.9%, validating the deployment feasibility of VCT for high-stakes forensic review on production-grade LLM platforms.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes Verifiable Conversation Transcript (VCT), a system for account-level LLM conversation records that handles non-linear operations (re-prompting, regeneration, deletion, concurrency, selective sharing) via a three-tier cryptographic structure: branch-level hash chains on atomic Q&A pairs, session-level Merkle roots, and account-level Merkle roots with joint user-server signatures. It defines a serialized state transition protocol with deletion barriers and a deterministic state-merge protocol, plus incremental denial checks and a gossip protocol for fork detection. The central claim is that, under standard cryptographic assumptions, these mechanisms guarantee integrity, consistency, verifiable shareability, and non-repudiation, with a Python prototype showing sub-millisecond to low-millisecond cryptographic latency and 0.9% storage overhead for 21 KB text.

Significance. If the protocols are shown to be correct, VCT would provide a practical, low-overhead mechanism for tamper-evident, forensically usable records of inherently non-linear LLM interactions, addressing a gap in compliance and auditing for production LLM platforms. The prototype numbers indicate deployment feasibility, but the absence of machine-checked proofs or exhaustive analysis limits the strength of the contribution.

major comments (2)
  1. [Security analysis / state-merge protocol description] Security analysis (as summarized in the abstract): the claim that the deterministic state-merge protocol resolves every conflict arising from non-linear operations (re-prompting, regeneration, deletion, concurrency) without new inconsistencies or extra trust assumptions is not supported by a formal proof, reduction to standard assumptions, or exhaustive enumeration of interleavings; the description relies on hash chains, Merkle roots, and joint signatures but provides no derivation steps or case analysis showing that all possible concurrent non-deletion updates produce consistent views.
  2. [Threat model / protocol definitions] Threat model and protocol definitions: no explicit threat model section details the exact capabilities of a malicious server (e.g., ability to reorder or suppress non-deletion updates) or the precise invariants preserved by the serialized state transition protocol with deletion barriers; without this, it is impossible to verify that the integrity/consistency/non-repudiation guarantees hold under the stated standard cryptographic assumptions.
minor comments (2)
  1. [Evaluation] The abstract references a 'realistic configuration with 21 KB of text' and 0.9% overhead but does not cite the corresponding table or figure containing the full latency/storage measurements.
  2. [System architecture] Notation for the three-tier structure (branch hash chains, session Merkle roots, account Merkle root) is introduced without a diagram or pseudocode listing the exact aggregation functions.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments, which highlight areas where the manuscript can be clarified and strengthened. We address each major comment below and commit to revisions that improve the presentation of the security arguments and threat model without altering the core technical contributions.

read point-by-point responses
  1. Referee: Security analysis (as summarized in the abstract): the claim that the deterministic state-merge protocol resolves every conflict arising from non-linear operations (re-prompting, regeneration, deletion, concurrency) without new inconsistencies or extra trust assumptions is not supported by a formal proof, reduction to standard assumptions, or exhaustive enumeration of interleavings; the description relies on hash chains, Merkle roots, and joint signatures but provides no derivation steps or case analysis showing that all possible concurrent non-deletion updates produce consistent views.

    Authors: The manuscript's security analysis (Section 5) derives consistency from the collision resistance of the hash function and unforgeability of joint signatures, arguing that the deterministic merge rules on session Merkle roots and branch hash chains produce identical views for any ordering of non-deletion updates. We acknowledge that the current text provides only high-level reasoning rather than exhaustive interleaving enumeration or a reduction proof. We will add a new subsection with explicit case analysis for representative concurrent scenarios (e.g., simultaneous regenerations on different branches) and derivation steps showing preservation of the account root invariant. A machine-checked formal proof remains outside the scope of this systems paper but is noted as future work. revision: partial

  2. Referee: Threat model and protocol definitions: no explicit threat model section details the exact capabilities of a malicious server (e.g., ability to reorder or suppress non-deletion updates) or the precise invariants preserved by the serialized state transition protocol with deletion barriers; without this, it is impossible to verify that the integrity/consistency/non-repudiation guarantees hold under the stated standard cryptographic assumptions.

    Authors: We agree that a dedicated threat model section is missing and would improve verifiability. The protocols implicitly assume a malicious server that can reorder, suppress, or forge non-deletion messages but cannot break the cryptographic primitives or delete without user consent due to deletion barriers. In the revision we will insert an explicit threat model subsection (new Section 3.1) that enumerates server capabilities, lists the preserved invariants (e.g., no undetected forks on non-deletion paths, deletion barriers prevent post-deletion modifications), and maps each guarantee to the relevant cryptographic assumption. revision: yes

Circularity Check

0 steps flagged

No circularity: VCT is a direct system definition under standard crypto assumptions

full rationale

The paper defines VCT via explicit constructions (three-tier hash/Merkle structure, serialized state transitions with deletion barriers, deterministic merge protocol, gossip-based fork detection) and asserts security properties directly from standard cryptographic assumptions (collision resistance, signature unforgeability). No equations, parameters, or protocols are shown to reduce to fitted values, self-definitions, or self-citation chains; the security analysis is presented as a demonstration resting on those external primitives rather than internal renaming or prediction-from-fit. The construction is therefore self-contained and does not exhibit any of the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The proposal rests on standard cryptographic assumptions for hash functions and signatures; no free parameters are introduced, and the new protocols and data structure are the primary contribution without external independent evidence.

axioms (1)
  • standard math Standard cryptographic assumptions (collision resistance of hash functions and unforgeability of signatures)
    Invoked to support all integrity and non-repudiation guarantees.
invented entities (1)
  • VCT three-tier data structure and state transition protocols no independent evidence
    purpose: To abstract non-linear LLM semantic operations into authenticated account-level state transitions
    Newly defined system component without independent falsifiable evidence outside the proposal.

pith-pipeline@v0.9.1-grok · 5833 in / 1313 out tokens · 25116 ms · 2026-06-26T08:19:38.055807+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

43 extracted references · 2 canonical work pages · 1 internal anchor

  1. [1]

    Fundamental capabilities and applications of large language models: A survey.ACM Computing Surveys, 58(2):38:1–38:45, 2025

    Jiawei Li, Yu Gao, Yifan Yang, Zhongyi Zhang, Xiaojie Yuan, Jie Tang, and Juanzi Li. Fundamental capabilities and applications of large language models: A survey.ACM Computing Surveys, 58(2):38:1–38:45, 2025

  2. [2]

    LLMs4All: A systematic review of large language models across academic disciplines

    Yifan Ye, Zhen Zhang, Tianyi Ma, Fangrui Liu, Haotian Zhang, Shiyu Zhao, and Yang Liu. LLMs4All: A systematic review of large language models across academic disciplines. arXiv preprint, arXiv:2509.19580, 2025

  3. [3]

    A survey on hal- lucination in large language models: Principles, taxonomy, challenges, and open questions

    Lei Huang, Weijiang Yu, Weitao Ma, Weihong Zhong, Zhangyin Feng, Haotian Wang, Qianglong Chen, Weihua Peng, Xiaocheng Feng, Bing Qin, and Ting Liu. A survey on hal- lucination in large language models: Principles, taxonomy, challenges, and open questions. ACM Transactions on Information Systems, 2025

  4. [4]

    Proposed evidentiary rule 707: Addressing a nonexistent problem instead of real ones

    Stephen Embry. Proposed evidentiary rule 707: Addressing a nonexistent problem instead of real ones. Above the Law, January 2026

  5. [5]

    Cybercrime module 6: Key issues — digital evidence admissibility, 2017

    United Nations Office on Drugs and Crime. Cybercrime module 6: Key issues — digital evidence admissibility, 2017. Education for Justice Initiative. 55

  6. [6]

    ChatGPT for digital forensic investigation: The good, the bad, and the un- known.Forensic Science International: Digital Investigation, 46:301609, 2023

    Mark Scanlon, Frank Breitinger, Christopher Hargreaves, Jan-Niclas Hilgert, and John Sheppard. ChatGPT for digital forensic investigation: The good, the bad, and the un- known.Forensic Science International: Digital Investigation, 46:301609, 2023

  7. [7]

    rinderknecht, criminal complaint and affidavit in support of criminal com- plaint

    United states v. rinderknecht, criminal complaint and affidavit in support of criminal com- plaint. Case No. 2:25-mj-01161, C.D. California, January 2025

  8. [8]

    character technologies, inc

    Garcia v. character technologies, inc. No. 6:24-cv-01903-ACC-DJK, M.D. Florida, May 2025

  9. [9]

    openai, complaint

    Raine v. openai, complaint. No. 3:25-cv-04827, N.D. California, August 2025

  10. [10]

    Scott Stornetta

    Stuart Haber and W. Scott Stornetta. How to time-stamp a digital document.Journal of Cryptology, 3(2):99–111, 1991

  11. [11]

    Anvar p.v. v. p.k. basheer & ors. (2014) 10 SCC 473, Supreme Court of India, 2014

  12. [12]

    ISO/IEC 27037:2012 — information tech- nology — security techniques — guidelines for identification, collection, acquisition and preservation of digital evidence, 2012

    International Organization for Standardization. ISO/IEC 27037:2012 — information tech- nology — security techniques — guidelines for identification, collection, acquisition and preservation of digital evidence, 2012

  13. [13]

    Secure audit logs to support computer forensics.ACM Transactions on Information and System Security, 2(2):159–176, 1999

    Bruce Schneier and John Kelsey. Secure audit logs to support computer forensics.ACM Transactions on Information and System Security, 2(2):159–176, 1999

  14. [14]

    Mihir Bellare and Bennet S. Yee. Forward integrity for secure audit logs. Technical Report CS98-580, University of California at San Diego, November 1997

  15. [15]

    Jason E. Holt. Logcrypt: Forward security and public verification for secure audit logs. In Proceedings of the 15th USENIX Security Symposium, pages 53–62, 2006

  16. [16]

    A new approach to secure logging

    Di Ma and Gene Tsudik. A new approach to secure logging. InProceedings of the 24th IFIP International Information Security Conference (SEC 2009), pages 48–62, 2009

  17. [17]

    Ralph C. Merkle. A digital signature based on a conventional encryption function. InAd- vances in Cryptology — CRYPTO ’87, volume 293 ofLecture Notes in Computer Science, pages 369–378. Springer, 1987

  18. [18]

    Authenticated data structures for outsourced databases.Information Systems, 36(2):195–214, 2011

    Charalampos Papamanthou, Roberto Tamassia, and Nikos Triandopoulos. Authenticated data structures for outsourced databases.Information Systems, 36(2):195–214, 2011

  19. [19]

    Authenticated data struc- tures, generically

    Andrew Miller, Michael Hicks, Jonathan Katz, and Elaine Shi. Authenticated data struc- tures, generically. InProceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 411–424, 2014

  20. [20]

    Certificate transparency

    Ben Laurie, Adam Langley, and Emilia Kasper. Certificate transparency. RFC 6962, 2013

  21. [21]

    Melara, Aaron Blankstein, Joseph Bonneau, Edward W

    Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten, and Michael J. Freedman. CONIKS: Bringing key transparency to end users. InProceedings of the 24th USENIX Security Symposium, pages 383–398, 2015

  22. [22]

    A formal security analysis of the signal messaging protocol

    Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. A formal security analysis of the signal messaging protocol. InProceedings of the 2017 IEEE Symposium on Security and Privacy (S&P), pages 840–858, 2017

  23. [23]

    The messaging layer security (mls) protocol

    Richard Barnes, Benjamin Beurdouche, Jon Millican, Emad Omara, Konrad Kohbrok, and Raphael Robert. The messaging layer security (mls) protocol. RFC 9420, 2023. 56

  24. [24]

    Let's Verify Step by Step

    Hunter Lightman, Vineet Kosaraju, Yura Burda, Harri Edwards, Bowen Baker, Teddy Lee, Jan Leike, John Schulman, Ilya Sutskever, and Karl Cobbe. Let’s verify step by step.arXiv preprint, arXiv:2305.20050, 2023

  25. [25]

    Deductive verifica- tion of chain-of-thought reasoning

    Ziyi Ling, Yunfang Wu, Yuxiang Wang, Xinyu Zhang, and Wei Li. Deductive verifica- tion of chain-of-thought reasoning. InAdvances in Neural Information Processing Systems (NeurIPS), 2023

  26. [26]

    A chain of thought is as strong as its weakest link

    Alon Jacovi, Yonatan Bitton, Bernd Bohnet, Jonathan Herzig, Orith Toledo-Ronen, Alon Halfon, Matan Vaxman, Ilya Shnayderman, Yonatan Katz, Yoav Levine, Noam Slonim, Chulaka Gunasekara, and Benjamin Sznajder. A chain of thought is as strong as its weakest link. InProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (ACL), 2024

  27. [27]

    Crosby and Dan S

    Scott A. Crosby and Dan S. Wallach. Efficient data structures for tamper-evident logging. InProceedings of the 18th USENIX Security Symposium, pages 317–334, 2009

  28. [28]

    Transparency logs via append-only authenti- cated dictionaries

    Alin Tomescu, Vivek Bhupatiraju, Dimitrios Papadopoulos, Charalampos Papamanthou, Nikos Triandopoulos, and Srinivas Devadas. Transparency logs via append-only authenti- cated dictionaries. InProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1299–1316, 2019

  29. [29]

    Building secure file systems out of byzantine storage

    David Mazi` eres and Dennis Shasha. Building secure file systems out of byzantine storage. InProceedings of the 21st Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing (PODC), pages 108–117, 2002

  30. [30]

    Krohn, David Mazi` eres, and Dennis Shasha

    Jinyuan Li, Maxwell N. Krohn, David Mazi` eres, and Dennis Shasha. Secure untrusted data repository (SUNDR). InProceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 121–136, 2004

  31. [31]

    Depot: Cloud storage with minimal trust.ACM Transactions on Computer Systems, 29(4):12:1–12:38, 2011

    Prince Mahajan, Srinath Setty, Sangmin Lee, Allen Clement, Lorenzo Alvisi, Mike Dahlin, and Michael Walfish. Depot: Cloud storage with minimal trust.ACM Transactions on Computer Systems, 29(4):12:1–12:38, 2011

  32. [32]

    Blumberg

    Michael Walfish and Andrew J. Blumberg. Verifying computations without reexecuting them.Communications of the ACM, 58(2):74–84, 2015

  33. [33]

    Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks.SIAM Journal on Computing, 17(2):281–308, 1988

  34. [34]

    PKCS #5: Password-based cryptography specification version 2.0

    Burt Kaliski. PKCS #5: Password-based cryptography specification version 2.0. RFC 2898, RSA Laboratories, September 2000

  35. [35]

    Conflict-free replicated data types

    Marc Shapiro, Nuno Pregui¸ ca, Carlos Baquero, and Marek Zawirski. Conflict-free replicated data types. InProceedings of the 13th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS), volume 6976 ofLecture Notes in Computer Science, pages 386–400, 2011

  36. [36]

    Beresford

    Martin Kleppmann and Alastair R. Beresford. A conflict-free replicated JSON datatype. IEEE Transactions on Parallel and Distributed Systems, 28(10):2733–2746, 2017

  37. [37]

    Mark D. Ryan. Enhanced certificate transparency and end-to-end encrypted mail. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2014. 57

  38. [38]

    Optimistic non-repudiable information exchange

    Steve Kremer and Olivier Markowitch. Optimistic non-repudiable information exchange. InProceedings of the 21st IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems (FORTE), volume 2529 ofLecture Notes in Computer Science, pages 258–271, 2002

  39. [39]

    A fair non-repudiation protocol

    Jianying Zhou and Dieter Gollmann. A fair non-repudiation protocol. InProceedings of the 1996 IEEE Symposium on Security and Privacy, pages 55–61, 1996

  40. [40]

    Secure hash standard (SHS)

    National Institute of Standards and Technology. Secure hash standard (SHS). FIPS Pub- lication 180-4, National Institute of Standards and Technology, 2015

  41. [41]

    Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang

    Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. High-speed high-security signatures.Journal of Cryptographic Engineering, 2(2):77–89, 2012

  42. [42]

    Edwards-curve digital signature algorithm (EdDSA)

    Simon Josefsson and Ilari Liusvaara. Edwards-curve digital signature algorithm (EdDSA). RFC 8032, Internet Research Task Force, 2017

  43. [43]

    Recommendation for password-based key derivation: Part 1: Storage applications

    Meltem S¨ onmez Turan, Elaine Barker, William Burr, and Lily Chen. Recommendation for password-based key derivation: Part 1: Storage applications. NIST Special Publication 800-132, National Institute of Standards and Technology, 2010. 58