A 2D Cryptographic Hash Function Incorporating Homomorphic Encryption for Secure Digital Signatures

User authentication is a critical aspect of any information exchange system which verifies the identities of individuals seeking access to sensitive information. Conventionally, this approachrelies on establishing robust digital signature protocols which employ asymmetric encryption techniques involving a key pair consisting of a public key and its matching private key. In this article, a user verification platform constructed using integrated circuits (ICs) with atomically thin two‐dimensional (2D) monolayer molybdenum disulfide (MoS2) memtransistors is presented. First, generation of secure cryptographic keys is demonstrated by exploiting the inherent stochasticity of carrier trapping and detrapping at the 2D/oxide interface trap sites. Subsequently, the ability to manipulate the functionality of logical NOR is leveraged to create a secure one‐way hash function which when homomorphically operated upon with NAND, XOR, OR, NOT, and AND logic circuits generate distinct digital signatures. These signatures when subsequently decrypted, verify the authenticity of the receiver while ensuring complete preservation of data integrity and confidentiality as the underlying information is never revealed. Finally, the advantages of implementing a NOR‐based hashing techniques in comparison to the conventional XOR‐based encryption method are established. This demonstration highlights the potential of 2D‐based ICs in developing critical hardware information security primitives.


Introduction
[3] Therefore, ensuring information privacy and confidentiality against unauthorized access over potentially insecure communication channels is one of the most critical aspects of a communication network.While encryption techniques provide a degree of security benefits by encoding a plaintext into an unintelligible cipher text using a secret key, recent years have unfortunately witnessed mounting instances of unauthorized data breaches, exposing the vulnerabilities of the present-day information security systems. [4][7] Therefore, with the projected surge in data generation and proliferation of digital services in forthcoming years, establishing secure and robust encryption and user verification schemes will emerge as one of the most pivotal facets of the information exchange framework. [8]ypically, digital signatures are employed to overcome the limitations of symmetric encryption and accomplish user verification.Similar to a handwritten signature on a paper document, a digital signature is a cryptographic technique that employs an asymmetric encryption algorithm, also known as public-key cryptography [9,10] that comprises of a secretly held private key and an openly accessible public key which are utilized for generation and verification of the signature, respectively. [11]wing to its association with the user's private key, digital signatures foster trust, non-repudiation, and an assurance that the information has indeed been shared by the claimed user since any modifications to its content would yield a distinct signature upon verification.Some of the most widely used public key cryptosystems for digital signatures employ elliptical curve cryptography, [12,13] Rivest-Shamir-Adleman algorithms, [14,15] and El Gamal encryption systems based on Diffie-Hellman key exchange. [16,17] key feature of the digital signature algorithm involves mapping the information onto a unique one-way encryption module, known as a hash function from which, retrieving the original information becomes infeasible. [18,19]The signature is then typically generated by encrypting this hash value with the user's private key and verified subsequently by matching the decrypted cipher with the original hash value using the public key.While this process ensures data integrity and confidentiality, the open accessibility of the public key makes it susceptible to malicious attacks which could potentially involve instances of falsified user identity.In addition, the types and number of encryption operations that can be performed on the hash function often remain finite.[22] Since the results of the computations remain in an encrypted form, homomorphic encryption offers flexibility to the user by allowing a potentially untrustworthy third-party vendor involved in an outsourced cloud-based service to perform computational processes on the data without the need of decrypting it first. [23,24]This is in sharp contrast to the conventional advanced encryption standard and data encryption standard which require a decryption step prior to any subsequent operations. [25,26]Therefore, given their unique properties, homomorphic ciphers can be exploited to expand the encryption space and enable innovative and holistic platforms for establishing secure and robust user authentication schemes.
In this article, we delve into a scenario where a sender (Alice) seeks to verify the authenticity of the intended recipient (Bob) and demonstrate a digital signature scheme that takes advantage of programmable integrated logic circuits (ICs) constructed using 2D monolayer MoS 2 based memtransistors.Figure 1a,b, respectively, provide a conceptual framework and an example demonstration of the proposed scheme which encompasses three critical steps.First, Alice takes a message (A), which in this case is a digitalized cameraman image taken from a standard MATLAB library, and generates its equivalent hash function (H) using her private key, (Key Alice ), logically symbolized as B from here onward.She accomplishes this by leveraging her ability to manipulate the logical NOR output through localized programming of the MoS 2 memtransistor.Bob, in order to verify his authenticity on the request of Alice generates a one-time pad (OTP) which in this case refers to his private key (Key Bob ) logically symbolized as C here onward and performs a single homomorphic operations on Alice's hash function by utilizing any one of the diverse logic circuits such as NAND, XOR, OR, NOT, and AND, where each operation results in the creation of a distinct digital signatures (E).Finally, Alice proceeds to decrypt (D) Bob's homomorphic signature with her Key Alice which effectively restores the hash value and verifies the legitimacy of Bob as the intended recipient.Our approach showcases a hardware demonstration of asymmetric cryptography algorithm which employs distinct and independent keys for the encryption and decryption processes for user authentication protocols.Figure S1 (Supporting Information) provides a schematic flowchart of the authentication process in order to further enhancereader's understanding.Note that the decision to employ an OTP-based cryptographic method for the generation of digital signatures is motivated by the inherent vulnerability of public keys, which can be susceptible to manipulation or unauthorized access by potential adversaries.

Characterization of MOCVD-Grown Monolayer MoS 2 Film
The MoS 2 used in this study was grown using metal-organic chemical vapor deposition (MOCVD) technique on an epitaxial sapphire surface at 950 °C. [27]Our choice of incorporating MoS 2 as the channel material stems from its robustness which has consistently resulted in high-performing devices in comparison to other TMDs.In fact, recent demonstrations of integrated circuits, [28][29][30][31][32][33][34] microprocessors, [35] and even neural networks [36][37][38][39] built using MoS 2 stand testament to their maturity as an ultra-thin channel material.Moreover, low-dimensional materials enable technologies beyond the von Neumann architecture by easing the area, energy, and memory efficiency bottlenecks commonly encountered in scaled silicon devices. [40,41]he presence of the grown film was first evaluated using Raman spectroscopy where the characteristic in-plane E 1 2g and outof-plane A 1g vibrational modes obtained from a representative MoS 2 film were found to be at 385 cm −1 and 403 cm −1 , respectively, while the photoluminescence (PL) peak was observed at 1.82 eV as shown in Figure S2 (Supporting Information).The material growth was subsequently accompanied by the fabrication of logic circuits.Further details on the synthesis of monolayer MoS 2 , film transfer, and logic circuit fabrication can be found in the Experimental Section of the manuscript.
Figure 2a,b, respectively, show the device schematic along with the corresponding optical image of a representative MoS 2 memtransistor comprising of a heavily doped p ++ -Si substrate, a platinum/Titanium (Pt/TiN) back-gate electrode (V BG ), a 50 nm Alumina (Al 2 O 3 ) gate dielectric and Ni/Au (40/30 nm) as the source and drain contacts.Since our logic circuits involved multiple individual memtransistors, we examined the variations in the device performances.Figure 2c shows the transfer characteristics of a total of 100 MoS 2 memtransistors in a logarithmic scale where the source to drain current (I DS ) is measured as a function of the local back-gate voltage (V BG ) at a drain bias V DS = 1 V.It is important to highlight that a memtransistor, as a multi-terminal device with an additional "gate" electrode, integrates the characteristics of both a memristor and the gate tunability of a transistor.[44] Clearly, our MoS 2 memtransistors exhibit good device performance, which is evident through its dominant electron (n-type) transport behavior, low gate leakage currents, and an excellent ON/OFF ratio of ≈10 7 .In addition, we also extracted the threshold voltage (V TH ) values at an iso-current of 100 nA, subthreshold slopes (SS) over three orders of I DS change and the electron field effect mobility (μ FE ) using the transconductance (g m = ∂I DS /∂V BG ) method for all fabricated memtransistors.Figure 2d,f show the Gaussian fitted distributions of V TH , SS, and μ FE , respectively, along with their corresponding mean (μ) and standard deviation () values.Here, the  V TH , μ ss , and   FE values were found to be 1.44 V, 278.67 mV dec −1 , and 16.12 cm 2 V × s, while the correspond- ) an example demonstration of our proposed scheme where a sender (Alice) who is seeking to verify the authenticity of the recipient Bob generates a hash function (H) of her digital message (M) using her private key (B).She accomplishes this by leveraging the ability to manipulate the logic NOR output through localized programming of the MoS 2 memtransistor.Subsequently, on her request, Bob choses to perform homomorphic operations using his OTP private key (C) by utilizing diverse logic circuits such as NAND, XOR, OR, NOT, and AND.Finally, Alice confirms and verifies the authenticity of Bob by decrypting his homomorphic signatures using her private key (B), which restores her original hash value.
ing  V TH ,  ss , and   FE values were found to be 0.16, 41.71, and 3.51, respectively.Figure S3 (Supporting Information) further shows the linear scale transfer characteristics plots for all the MoS 2 memtransistors, their corresponding V TH distribution along with the output characteristics of a representative memtransistor where the drain current (I DS ) is plotted against the drain-to-source voltage (V DS ) for different back-gate voltage (V BG ) biases.With a I ON value of ≈5 μA μm −1 at a V DS = V BG = 5 V, our devices demonstrate excellent performance.These results confirm the excellent quality of our grown film.Moreover, we also looked into the phenomenon of gate-induced drain leakage, a type of leakage mechanism stemming from the overlap between the gate and drain terminals in a transistor. [45,46]We found that our MoS 2 memtransistors demonstrated minimal leakage currents which further corroborates the robustness of our fabrication process.
Figure S4 (Supporting Information) provides a detailed explanation of the phenomenon using transfer characteristics (logarithmic scale) of a representative MoS 2 memtransistor.Note that all our devices had channel lengths (L CH ) and widths (W CH ) of 1 μm and 5 μm, respectively.

Construction of Cryptographic Keys Using Cascaded Three-Stage Inverters
The first step toward ensuring the robustness of our authentication scheme is generation of high-quality, unpredictable, and random cryptographic keys which when incorporated into the verification process,makes it significantly harder for an adversary to forge or tamper with the signature.Here, both Alice and Bob derive Key Alice and Key Bob , respectively, by utilizing their independent random number generator circut consisting of two cascaded three-stage inverters (TSI) integrated with a logical XOR gate constructed using multiple MoS 2 memtransistors.Note that this circuit has been reported in a recent work. [47]igure 3a shows the overall circuit schematic of the key generation module where the outputs from stage 3 of two different TSI's, V S3 and V′ S3 are, respectively, fed as inputs to the XOR gate whereas Figure 3b,c, respectively, show the optical images of cascaded TSI module 1 and an XOR gate.While an inverter, or a NOT gate implements logical negation and outputs a voltage representing the opposite logical state to its input, an XOR gate implements an exclusive OR and provides a high output only when one of its two inputs is high.Note that a TSI comprises of a series connection of three inverters where the output from each stage is successively fed as an input to the next stage.It is also worth mentioning here that in order to enable the circuit operations in the absence of a p-type MoS 2 , the source and drain of MoS 2 memtransistors MT 1 , MT 3 , MT 5 , MT 7 , MT 9 , and MT 11 from the two TSI modules along with MT 13 , MT 15 , MT 17 , MT 18 , and MT 20 from the XOR gate were shorted to the source as depletion loads.
Next, by exploiting the presence of interfacial trap states at the MoS 2 /Alumina interface and the inherent stochasticity associ-ated with the nature of carrier trapping and detrapping process at these trap sites as the source of randomness, both Alice and Bob generate their respective cryptographic keys.[50] We have chosen a supply bias voltage (V DD ) of 2 V for all the logic operations.Here, we would like to emphasize on the reason for incorporating a three-stage inverter in design which is rooted in the ability of the circuit to abruptly transition between the two logic states (0 and 2 V) as a result of increasing gain, defined as the slope of the inverter output characteristics provided by multiple inverters cascaded together.Figure 3e shows the measured gain of the first, second, and third stage inverters from TSI module 1, with the values of 60, 112, and 194, respectively, whereas Figure 3f,g, respectively, show a representative 64-bit long V S3 plot for the same inverter measured at a read voltage (V read ) of −100 mV at a sampling rate ( S ) of 100 ms along with the corresponding delta-like distribution for all 4096 bits which toggles between the low (0 V) and high (2 V) logic levels.Figure S5 (Supporting Information) shows the V S1 and V S2 plots for the first and second stage inverters where, as a result of lower gain values, the fluctuations never  c) XOR gate comprising of several MoS 2 memtransistors where the gates of some of the memtransistors are shorted to the source terminal as depletion loads in order to enable circuit operations.d) The output characteristics (V S3 ) plot of the third stage inverter from TSI module 1 where a finite hysteresis confirms the presence of trap states.e) measured the gain of the first, second, and third stage inverters from TSI module 1 with the gain values of 30, 117, and 188, respectively.f) V S3 plot for the third stage inverter measured at a read voltage (V read ) of −100 mV at a sampling rate ( S ) of 100 ms along with the g) corresponding delta-like distribution which toggles between the low (0 V) and high (2 V) logic levels.
reach the high logic level (2 V).Similarly, Figure S6 (Supporting Information) shows the V′ S1 , V′ S2 , and V′ S3 plots for the first, second and third stage inverters from TSI module 2. In addition, it is important to choose a V read that lies within the hysteresis window range in order to extract maximum stochasticity from the output fluctuations.Figure S7 (Supporting Information) shows V S3 plots for two different V read values of −0.5 and 0.5 V outside this hysteresis window which show no observable fluctuations.This is evident since the inverter always remain either at a high (2 V) or a low (0 V) logic level, respectively, at these V read values.Finally, the bits generated from the two TSI modules are passed through a XOR logic for eliminating any bit biases.Figure S8 (Supporting Information) shows the output characteristics of the XOR logic gates along with its truth table.

Test of Randomness and Security Evaluation of Cryptographic Keys
Prior to evaluating their security strength, both the cryptographic keys were subjected to statistical tests developed by the National Institute of Standards and Technology (NIST), [51] which evaluates whether the generated bit sequences possess sufficient levels of entropy or randomness for cryptographic protocols such as data encryption and decryption.[54][55][56] In addition, the generated keys also pass all of the 15 NIST SP800-22 tests with a confidence interval of 99%.These results are summarized in Figure S9a,b, (Supporting Information), respectively.
Following the NIST evaluation, both Key Alice and Key Bob , each comprising of 4096 bits were partitioned into 64 sets of keys, each containing 64 bits for assessment of their cryptographic strength.Figure 4a shows the plots for bit uniformity and entropy, both of which are critical indicators for determining the authenticity of randomness within a given sequence of bits.While uniformity refers to the overall proportions of "0" s and "1" s with an optimal value of 0.5 (50%), entropy is a measure of uncertainty with a corresponding maximum ideal value of '1′ for a 1-bit information and can be calculated using the expression below where p and (1 − p), respectively, represent the probabilities of obtaining a bit '1′ and bit '0′.From the plots, the mean bituniformity (μ U ) values were found to be ≈0.52 and 0.49 while the mean entropy (μ E ) values were found to be ≈0.98 and 0.97, both of which are very close to their respective ideal values, for both the Key Alice and Key Bob , respectively.The cryptographic secu-rity was further assessed by calculating the intra-hamming distance (HD intra ) and the intra-correlation coefficient (CC intra ) between all the possible 64 C 2 key combinations.Note that the term 'intra' refers to comparisons within the generated keys.While HD refers to the number of bit flips required to transform a given key into another key, CC is a measure of linear similarity between two keys.For ensuring cryptographic security, HD should ideally be 50% of the total key length whereas CC should have an ideal value of 0. Figure 4b shows the distribution of HD intra fitted using Gaussian functions for both Key Alice and Key Bob with their respective means (μ HD − intra ) of 32.05 and 31.8, and standard deviations ( HD − intra ) of 4.01 and 4.06, respectively.Similarly, Figure 4c shows the Gaussian fitted distribution of CC intra for both Key Alice and Key Bob with the mean values (μ CC − intra ) of 0.01 and 0.02, and standard deviations ( CC − intra ) of 0.12 and 0.13, respectively.
Another metric for evaluating the true randomness of the keys is the autocorrelation function (ACF), which refers to the presence of any visible short-range periodicity of a bit stream with itself over extended periods of time.ACF lies within the interval [−1,1], where a value of −1, 0, and 1, respectively, indicate anticorrelation, no correlation, and complete correlation.Figure 4d shows the 3D ACF plots for all the 64 Key Alice and Key Bob keys plotted as a function of 64 lags where, the presence of low-magnitude spikes with minimal periodicity clearly indicate their random and uncorrelated nature.In addition, it is also important that both Key Alice and Key Bob remain statistically independent from one another.Figure 4e,f, respectively, show the distribution of HD inter and CC inter fitted using Gaussian functions where, the term "inter" refers to comparisons between Key Alice and Key Bob .The μ HD − inter and μ CC − inter values were found to be 31.4and 0.03 with  HD − inter and  CC − inter values of 3.98 and 0.12, respectively.Furthermore, we examined their uniqueness by generating three independent sets Key Alice and Key Bob , each Figure 4g,h, respectively, show the colormaps of μ HD − inter and μ CC − inter between each of the 9 possible combinations with near ideal values.Figure S10 (Supporting Information) shows the 3D histogram plots of the HD inter and CC inter for all the 9 possible pairs.

Construction and Evaluation of the Cryptographic Hash Function
In cryptography, a hash function is an encryption algorithm that transforms an input or a message into a distinct fixed-size representation known as a hash value or digest. [57,58]Perhaps, what sets a hash function apart is its remarkable one-directional encryption property where recovering the original input data from the generated hash value becomes practically infeasible. [59]This is in stark contrast to the conventional symmetric encryption methods relying on operations like XOR.This unique capability when combined with homomorphic operations makes hash functions exceptionally intriguing for developing secure digital signature schemes.Among the most widely recognized and highly secure hash algorithms today are secure hash algorithm (SHA-256) and SHA-3. [60,61]In this section, we will describe how locally back-gate programming in a MoS 2 memtransistor enables Alice to manipulate the logical expression of a conventional logic NOR to create a robust and secure hash function.
Figure 5a,b, respectively, show the optical image and the corresponding circuit schematic of a NOR gate implemented using a combination of three MoS 2 memtransistors MT 1 , MT 2 , and MT 3 with inputs V A and V B and its corresponding output (V H ). Being a universal gate and a complementary form of an exclusive OR, a NOR typically implements the Boolean expression H = (A + B), where V H clamps to V DD (logic state '1′) only when both V A and V B are at 0 V (logic state '0′).However, by exploiting the programmability in our MoS 2 memtransistors, Alice tunes the fundamental logic operation of NOR to create a robust hash function whose Boolean expression can be represented using the equation H = (A + B) × ( Ā + B).Note that a hash function generated through a conventional NOR remains cryptographically weak due to the presence of inherent bit bias (toward '0′) as shown using Figure S11 (Supporting Information).
Figure 5c,d, respectively, show the output characteristics and the corresponding truth table of a hashed NOR where V H = V DD = 2 V for a new input combination of V A = 2 V (logic state '1′) and V B = 0 V (logic state '0′).This results in the elimination of the inherent bit bias in a conventional NOR as previ-ously stated.Alice accomplishes this by adjusting the V TH of MT 2 memtransistor to a more positive value through the application of a large programming pulse (V P ) of 13 V to its V BG for a duration ( p ) of 100 ms.63] Figure S12 (Supporting Information) further provides a simplified explanation of creating the hash function using a resistor network for the reader's convenience whereas Figure S13 (Supporting Information) provides a schematic comparing the encryption and decryption between the XOR and programmed NOR logic gates.
To confirm Bob's authenticity, Alice takes the input message A, which is the digitalized cameraman image and encrypts it with her Key Alice (B) to create its equivalent hash function H utilizing the hashed NOR logic.Note that for a better depiction of the hashing process as shown in Figure 5e,g, respectively, both the inputs A and B, as well as the hashed output H are represented using 64bit plots taken from their accompanying 64 × 64-bit maps which provide the entire overview of these parameters.First, the collision resilience of the hash function was evaluated by encrypting three different input messages and generating their equivalent hash values using similar hashed NOR logic.A hash collision occurs when two or more inputs produce the same hash value which can compromise data integrity and expose the vulnerabilities in security protocols such as digital signatures and password sharing. [64]Therefore, minimizing the possibility of collision is one of the most critical requirements of a robust hash function.Figure 5h,i, respectively, shows the 3D histogram plots of HD inter and CC inter between all the three different pairs of hash values generated using a total of three different input messages.Clearly, each hash value appears to be unique and uncorrelated which can also be confirmed on observing their respective μ HD − inter and μ CC − inter values shown in Figure S14 (Supporting Information).
Finally, since Alice will transmit her hash function to Bob through a potentially insecure channel, it becomes imperative to assess its cryptographic strength.Figure 5j shows the plot for both bit uniformity and entropy where μ U and μ E were found to have near-ideal values of 0.48 and 0.98, respectively.Similarly, Figure 5k,l shows the distribution of HD intra and CC intra for all 64 C 2 key combinations fitted using Gaussian functions, respectively.Here, the  HD intra and  CC intra were once again found to have values of 33.02 and 0.003, while  HD intra and  CC intra had the values of 4.04 and 0.129, respectively.These results affirm the strength of Alice's hash function.Moreover, the NOR logic remained stable when measured again post-hash encryption as shown in Figure S15 (Supporting Information).In addition, the memory window was found to last until ≈10 years when fitted using an empirical mathematical model with fitting parameters as previously described. [63]These details are further provided in Figure S16 (Supporting Information).

Generation and Verification of Homomorphic Digital Signatures
Here, we illustrate a situation in which Alice's objective is to have Bob verify his authenticity by executing a homomorphic NAND operation on her hash value H utilizing his Key Bob (C). Figure 6a shows the overall schematic detailing the process of signature  and c) modified output characteristics of NOR logic circuit along with its d) truth table which is accomplished by tuning the threshold voltage of MT 2 memtransistor.e-g) Process of creating a hash value H from the digital message A by Alice using her Key Alice (B) in order to verify Bob's authenticity.A 3D histogram plot of h) HD inter and i) CC inter between all the three different pairs of hash values generated using a total of three different input messages.Clearly, each hash value appears to be unique and uncorrelated and thereby corroborates the collision resilience of the hash function.Plot for j) bit uniformity μ U and entropy μ E values of the hash function along with the distribution of k) HD intra and l) CC intra which were found to have near-ideal values.and d) output characteristics of the NAND gate constructed using MoS 2 memtransistors where the gate and source of MT 3 are shorted to act as a constant load resistor.Sequence for verifying user authentication.Bob upon receiving e) Alice's hash function H uses his f)Key Bob (C) and proceeds to perform the homomorphic NAND operation as shown in g) to generate a unique signature (E NAND ).In order to verify and confirm Bob's authenticity, Alice proceeds to decrypt Bob's cipher using h) Key Alice (B) which i) matches with her original hash H. generating and verification.Figure 6b,c, respectively, show the optical image and the circuit schematic of a NAND gate constructed using MT 1 , MT 2 , and MT 3 memtransistors with MT 3 serving as a depletion load.Here, we would like to mention that the two NAND inputs are represented using Alice's hash function (H) and Figure 6d illustrates the logical output (E NAND ) for the NAND operation which clamps to V GND only when both the inputs H and C are at a logic high (V DD = 2 V).This is because both MT 1 and MT 2 remain more conductive than MT 3 .For all the other input combinations, MT 3 remains more conductive which effectively clamps E NAND to V DD = 2 V.Note that this operation adheres to the conventional NAND logic which also represents an inverted AND.Upon receiving Alice's hash function, Bob proceeds with the requested homomorphic operation and generates a unique signature E NAND as shown using Figure 6e,g, respectively.On receiving Bob's signature, Alice subsequently proceeds to decrypt it using her Key Alice (B) where, the confirmation of the decrypted cipher (D NAND ) matching her original hash value H as shown using Figure 6h,i, respectively, allows her to verify and confirm Bob's authenticity.Note that the decrypted map was recreated by setting a threshold (V T ) at 1 V, where all the values lying above and below V T were assigned a digital "1" and a digital "0", respectively.This process of signature generating and verifying homomorphic signatures is equally applicable to other logical operations such as XOR, OR, NOT, and AND. Figure S17 (Supporting Information) shows the construction, circuit schematic, and output characteristics of logic gates while Figure S18 (Supporting Information) shows Bob's signature generation and verification process for these homomorphic logic operations.

Security Evaluation of Digital Signatures
We also evaluated the cryptographic strength of all the homomorphically generated signatures.Figure 7a shows a 3D bar plot of mean bit uniformity μ U and entropy μ E values which reveal a distinct trend.Notably, signatures generated using homomorphic NAND and OR operations exhibit higher values of μ U , whereas homomorphic AND displays a lower μ U value.This behavior arises from the inherent bit bias associated with each logical operation.For example, NAND and OR tend to bias toward bit '1′ while AND biases more toward bit '0′.The presence of these in-herent biases manifests themselves in the form of less than ideal μ E values.In contrast, both XOR and NOT do not display any such bit biases.Figure S19 (Supporting Information) shows the 2D plots for uniformity and entropy calculated for all the homomorphic operations.Figure 7b,c, provides the 3D histogram of HD intra and a bar plot of  HD intra , respectively, revealing the impact of the bit biases on the hamming values for NAND, OR, and AND operations.Meanwhile, Figure 7d,e, respectively, show the 3D histogram of CC intra and a bar plot of  CC intra with near ideal values.Finally, we also assessed the uniqueness of each signature in relation to one another.Figure 7f,g, respectively, show 3D histogram of HD inter and a colormap of  HD inter whereas Figure 7h,i, respectively, show 3D histogram of CC inter and a colormap of  CC inter for all 10 possible pairs.The results reveal sufficiently ideal values, indicating that the generated signatures are physically distinct from one another.However, it is important to acknowledge here that homomorphic encryption is computationally intensive with a higher performance overhead compared to traditional encryption methods.Figure S20 (Supporting Information) shows the energy expenditure for generating both Key Alice and Key Bob as well as the signature generation and verification modules.The energy for generating cryptographic keys was found to be E TRNG = 20 pJ bit −1 while the total energy expenditure encompassing signature generation and verification was found to be E Total = 60 pJ bit −1 .We believe that design improvisations such as utilization of thinner gate dielectrics and faster sampling time ( s ) could lead to practical adoption and implementation of fully homomorphic digital signature platforms in the future.

Authentication System Involving Homomorphic Signatures from Multiple Users
Until now, we have a scenario involving the verification of a single user (Bob) through the generation of digital signatures using various logical operations.However, it is important to note here that in a more practical setting, the authentication protocol for any given user will typically involve a singular homomorphic operation.This section delves into a situation where Alice aims to confirm the authenticity of multiple user recipients using her authentication protocol.Initially, Alice creates her original hash function by employing a programmed NOR logic as shown in Figure 8a and described in the earlier section.Subsequently, the three recipients in this scenario, namely Henry, John, and David, execute homomorphic XOR, OR, and AND operations on Alice's hash function with their respective private OTP keys, Key Henry , Key John , and Key David to establish their authenticity.It is noteworthy that all private keys are independent and uncorrelated from each other.In the final step, Alice decrypts the individual homomorphic signature from Henry, John, and David using her original private key or Key Alice ensuring each case aligns with her initial hash value.This process verifies the legitimacy of the intended recipients as illustrated in Figure 8b.More importantly, despite the uniqueness of the encryption keys, the capability to construct a one-way hash function through programmable NOR significantly expands the parameter space of the user authentication protocol involving multiple users while safeguarding the confidentiality of the underlying information.Figure S21 (Supporting Information) provides a conceptual framework of the authentication scheme.
Since each homomorphic signature is generated using distinct user private keys, we have analyzed their cryptographic strength.These details are provided in Figure S22 (Supporting Information).While all the signatures demonstrate sufficient security and resilience, a few observable trends must be highlighted.In instances where the signatures are generated using logical operations with similar bit biases, the  HD inter values tend to be slightly deviate from the ideal value of 32.For instance, the  HD inter value between the NAND and OR digital signatures generated by Bob and John, respectively, was measured at 24.This discrepancy can be attributed to the inherent nature of their respective operations, where for a total of three input combination pairs, the output results in a bit "1", leading to cryptographic keys with a higher proportion of bit '1′.On the contrary, the  HD inter values between Bob's NAND and David's AND signature were found to be 40, surpassing the expected value of 32.This contrast can be elucidated by the logical operations involved, where the two generated keys exhibit a higher proportion of bit '1′ and bit '0′, respectively.Notably, such deviations were not observed in signatures generated through the logical XOR operation.

Comparison between NOR and XOR-Based User Verification Scheme
Finally, we delve into another scenario where Alice performs user verification procedures on the encrypted ciphers generated through XOR operations and compares their outcomes with those yielded by the hashed NOR operations.Figure 9a-e, respectively, show the applied homomorphic NAND operation to the encrypted cipher H, which was the result of a logical XOR operation between the digital message A and Key Alice (B).Additional details regarding the XOR encryption process and its cryptographic security assessment are provided in Figure S23 (Supporting Information).
An interesting observation becomes apparent during Bob's verification process where Alice gains partial access to the underlying information after she decrypts his homomorphic signature (D NAND ) with her Key Alice (B).This finding is in stark contrast to similar verification protocols implemented earlier using the hashed NOR operations.This discrepancy is further confirmed in Figure 9f, which highlights a larger  HD inter values between the decrypted signature verification cipher (D) and the encrypted cipher (M) in case of XOR based scheme.Conversely, NOR-based schemes consistently yield  HD inter values of 0. An exception to this trend is noted for homomorphic NOT operation implemented using the hashed NOR, since it effectively inverts all input bits and obviates the need for a Key Bob .Similarly, Figure 9g illustrates the  CC inter plots, revealing a significant correlation between the decrypted signature verification cipher D and the original digital message M. Figures S24, S25 (Supporting Information), respectively, show the Gaussian-fitted histograms of the HD inter and CC inter for the homomorphic operations involved in the XOR based scheme.In fact, other homomorphic operations based on XOR operations also exhibit similar trends as illustrated in Figure 9h.This suggests that for a XOR-based protocol, the verification cipher (D) does not match with the encrypted cipher M. While, this might appear inconsequential as long as Alice exclusively oversees Bob's verification, it is important to acknowledge that the overall security and integrity of the communication scheme could be severely compromised if Key Alice (B) were to be exposed to adversaries, enabling them to impersonate Alice and manipulate information while repudiating their involvement.

Conclusion
In conclusion, we have demonstrated an integrated hardwarebased digital signature platform constructed using ICs based on atomically thin 2D monolayer molybdenum disulfide (MoS 2 ) memtransistors.We have exploited the inherent stochasticity of carrier trapping and detrapping at the 2D/oxide interface trap sites as the source of randomness to generate of secure and robust cryptographic keys.In addition, we have also leveraged the ability to manipulate the functionality of logical NOR through localized programming of MoS 2 memtransistor to demonstrate a cryptographically secure one-way hash function which was homomorphically operated upon with NAND, XOR, OR, NOT, and AND logic circuits resulting in the generation of distinct and secure digital signatures.Finally, the authenticity of the receiver was verified through subsequent decryption of the generated signatures.Our approach ensures the complete preservation of data integrity while offering privacy and confidentiality since the computational operations are performed on the encrypted data without revealing the underlying information.Finally, we also provide an insight on the advantages of implementing a NOR-based hashing technique in comparison to the conventional XOR-based encryption method.Our demonstration highlights the potential of 2D-based ICs in advancing the fundamental components that are crucial for enhancing information security primitives.

Experimental Section
Large-Area Monolayer MoS 2 Film Growth: Monolayer MoS2 was grown onto a 2-inch c-sapphire base using MOCVD which involved utilizing an inductively heated graphite susceptor with wafer rotation within a cold-wall horizontal reactor to ensure even distribution of the monolayer.Molybdenum hexacarbonyl (Mo(CO)6) stored in a stainless-steel bubbler at 25 °C and a pressure of 375 Torr along with hydrogen sulfide (H2S) were used as precursors.A fixed flow rate of 2.0 × 10 −2 standard cubic centimeters per minute (sccm) was provided for the growth.Simultaneously, 400 sccm of H2S was also introduced into the process.Prior to the growth, the substrate was subjected to a 10-minute baking process at a temperature of 1000 °C in an H 2 atmosphere.The actual film growth took place at 950 °C with a pressure of 50 Torr in the presence of hydrogen gas (H 2 ) which resulted in the formation of a monolayer film in ≈18 min.The substrate was subsequently cooled down to 300 °C in an H 2 S environment to prevent any deterioration of the monolayer MoS2 film after the growth was accomplished.More details on the growth process can be found in an earlier work. [65]abrication of Local Back-Gate Islands: To define the regions for the back-gate islands, a commercially acquired and thermally-grown 285 nm SiO2 on p++-Si substrate was spin coating with a bilayer photoresist com-prising of Lift-Off-Resist (LOR 5A) and Series Photoresist (SPR 3012) at 4000 RPM for 45 s which was accompanied by a baking process at 185 °C for 120 s and 95 °C for 60 s, respectively.In order to define the islands, the bilayer photoresist was subsequently, patterned using a Heidelberg Maskless Aligner (MLA 150).This patterned resist was then immersed in MF CD26 microposit for a total of 75 s, followed by a de-ionized (DI) water lasting 60 s for subsequent development.The back-gate electrodes were then deposited using electron-beam (e-beam) evaporation in a Temescal FC-2000 Bell Jar Deposition System and consisted of a 20/50 nm Ti/Pt layer.The excess photoresist and metal were removed by acetone and Photo Resist Stripper (PRS 3000).This was followed by another substrate cleaning step with 2-propanol (IPA) and DI water.Next, a 50 nm Al2O3 back-gate dielectric stack was grown using an atomic layer deposition process across the entire substrate, including the island regions.Following this, a reactive ion etch (RIE) process conducted in a Plasma-Therm Versa lock 700 was implemented in order to gain access to the individual Pt back-gate electrodes.Similarly, by using the LOR 5A and SPR 3012 resist, etch patterns were also defined which were then exposed to the MLA 150 and developed with MF CD26 microposit, followed by a DI water rinse.The dielectric stack was then dry etched for a total of 80 seconds, divided into four 20-second etch steps which were separated by 60-second stabilization steps with BCl 3 using a RIE chemistry at 5 °C.This was done to minimize substrate heating.Finally, the remaining photoresist was stripped using a similar liftoff recipe.
MoS 2 Film Transfer to Local Back-Gate Island Substrate: The transfer of the film from the growth substrate to the application substrate involved a process assisted by polymethyl-methacrylate (PMMA). [60]Initially, the MoS2 film grown on the sapphire substrate was coated with PMMA through a spin-coating method and allowed to sit for 24 h to ensure strong adhesion between PMMA and MoS2.Next, the edges of the spin-coated film were carefully scratched using a razor blade and then placed into a 2 m NaOH solution maintained at 90 °C.Capillary action facilitated the preferential infiltration of NaOH into the interface between the substrate and MoS2 due to the sapphire's hydrophilic nature and the hydrophobic characteristics of MoS2 and PMMA.This resulted in the separation of the PMMA/MoS2 stack from the sapphire substrate.The detached film was subsequently retrieved from the NaOH solution using a clean glass slide and underwent three separate 15-minute water baths for rinsing before being transferred onto the application substrate.Following this, the substrate was subjected to baking at 50 and 70 °C for 10 min each to eliminate moisture and enhance film adhesion, ensuring a pristine interface.Finally, the PMMA was removed by immersing the sample in acetone for 1 h, and the substrate underwent a subsequent 30-minute IPA bath for cleaning.
Fabrication of 2D MoS 2 Transistors: To define the channel regions of the MoS2 transistors in this study, the application substrate, with MoS2 transferred onto it, underwent the following process: it was subjected to spin-coating with PMMA A6 at 4000 RPM for 45 s and then baked at 180 °C for 90 s.The resist was then exposed using a Raith EBPG5200 e-beam lithography tool, followed by development using a mixture of 4-methyl-2pentanone (MIBK) and IPA in a 1:1 ratio for 60 s, and rinsing with IPA for 45 s.The exposed monolayer MoS2 film was subsequently etched using a sulfur hexafluoride (SF6) RIE process at 5 °C for 30 s.The sample was then rinsed in acetone and IPA to remove the e-beam resist.A subsequent lithography step was performed to create the source and drain electrodes.The substrate was spin-coated with methyl methacrylate (MMA) EL6 and PMMA A3 at 4000 RPM for 45 s.These resists were then baked at 150 °C for 90 s and 180 °C for 90 s, respectively.E-beam lithography was once again utilized to pattern the source and drain regions, followed by development using a 1:1 mixture of MIBK/IPA and rinsing with IPA for the same durations as before.To form the electrodes, a deposition process involved applying 40 nm of Ni and 30 nm of Gold (Au) using e-beam evaporation.Finally, a lift-off process was carried out to eliminate excess Ni/Au by immersing the sample in acetone for 1 h, followed by a 30-minute IPA bath to clean the substrate.At this stage, each island contained a single MoS2 transistor, allowing for individual gate control of each device.″Integration of 2D MoS 2 Transistors for TSI Fabrications: To establish the interconnections between individual transistors for circuit design, the substrate underwent the following procedure: it was initially spin-coated at 4000 RPM for 45 s with MMA EL11 and PMMA A3, followed by baking at 150 °C for 90 seconds and 180 °C for 90 s.It's worth noting that this bilayer resist was distinct from the one used earlier for defining the source/drain electrodes.MMA EL11, under these specific spin/bake conditions, resulted in a thicker layer compared to MMA EL6, which enabled the deposition of a thicker metal layer without the risk of inadequate sidewall coverage.Subsequently, the bilayer resist was patterned using e-beam lithography and developed using the same 1:1 MIBK/IPA mixture, along with an IPA rinse, as mentioned previously.E-beam evaporation was then employed to deposit 60 nm of Ni and 40 nm of Au, creating the connections between adjacent devices.A thicker metal layer was deposited in this step to ensure the continuity of the connections over the features defined in earlier lithography steps.Finally, in a lift-off process, the e-beam resisted and excess metal was removed by immersing the sample in acetone for 1 h, followed by a 30-minute bath in IPA.
Raman and PL Spectroscopy: Raman and PL spectroscopy of the MoS2 film were conducted using a Horiba LabRAM HR Evolution confocal Raman microscope equipped with a 532 nm laser.The laser power was adjusted to 34 mW and filtered down to 1.7 mW, with a 5% filter in place.The objective had a magnification of 100× and a numerical aperture of 0.9, while the grating used had a spacing of 1800 gr mm −1 for Raman spectroscopy and 300 gr mm −1 for PL spectroscopy.The spectral resolution for each Raman measurement was ≈0.5 cm −1 , and for PL measurements, it was ≈3 × 10 −4 eV.Each Raman and PL measurement was obtained from a single accumulation, with a dwell time of 0.5 s.
Electrical Characterization: All of the memtransistors and logic circuits were electrically characterized in atmospheric conditions using a Lake Shore CRX-VF probe station with a Keysight B1500A parameter analyzer.
Data Availability: The evaluated datasets and generated codes employed for this current study could be made available from the corresponding author on reasonable request.
Image Utilization: The images utilized in the manuscript for analysis are available from the standard MATLAB library.

Figure 1 .
Figure1.Basis of digital signatures for authenticity verification: a) A conceptual framework and b) an example demonstration of our proposed scheme where a sender (Alice) who is seeking to verify the authenticity of the recipient Bob generates a hash function (H) of her digital message (M) using her private key (B).She accomplishes this by leveraging the ability to manipulate the logic NOR output through localized programming of the MoS 2 memtransistor.Subsequently, on her request, Bob choses to perform homomorphic operations using his OTP private key (C) by utilizing diverse logic circuits such as NAND, XOR, OR, NOT, and AND.Finally, Alice confirms and verifies the authenticity of Bob by decrypting his homomorphic signatures using her private key (B), which restores her original hash value.

Figure 2 .
Figure 2. Electrical characterization of monolayer MoS 2 memtransistors: a) A schematic of a representative monolayer MoS 2 memtransistor along with its b) corresponding optical image.c) Transfer characteristics in logarithmic scale for a total of 100 MoS 2 memtransistors where the source to drain current (I DS ) is measured as a function of the local back-gate voltage (V BG ) at a drain bias V DS = 1 V.Our MoS 2 memtransistors exhibit good device performance with low gate leakage currents and an excellent ON/OFF ratio of ≈10 7 .Evaluation of device-to-device variations seen through the Gaussian fitted distributions of the d) threshold voltage (V TH ), extracted using the iso-current method at an I DS = 100 nA, e) subthreshold slope (SS), extracted over over three orders of I DS change and f) peak electric field-effect mobility (μ FE ) extracted using the transconductance (g m = ∂I DS /∂V BG ) method for all 100 MoS 2 memtransistors with their respective means (μ) and standard deviation () values.

Figure 3 .
Figure3.Construction of public and private keys using cascaded three-stage inverters: a) Circuit schematic of our key generation module consisting for two cascaded TSI modules and a logical XOR gate where the outputs from two different TSI's, V S3 and V′ S3 are fed as the respective inputs to the XOR gate.Optical images of b) TSI module 1 and c) XOR gate comprising of several MoS 2 memtransistors where the gates of some of the memtransistors are shorted to the source terminal as depletion loads in order to enable circuit operations.d) The output characteristics (V S3 ) plot of the third stage inverter from TSI module 1 where a finite hysteresis confirms the presence of trap states.e) measured the gain of the first, second, and third stage inverters from TSI module 1 with the gain values of 30, 117, and 188, respectively.f) V S3 plot for the third stage inverter measured at a read voltage (V read ) of −100 mV at a sampling rate ( S ) of 100 ms along with the g) corresponding delta-like distribution which toggles between the low (0 V) and high (2 V) logic levels.

Figure 4 .
Figure 4. Evaluation of the public and private key generated using cascaded TSIs: a) Uniformity (U) and Entropy (E) plots where the mean bit-uniformity (μ U ) values were found to be ≈0.52 and 0.49 while the mean entropy (μ E ) values were found to be ≈0.98 and 0.97, for Key Alice and Key Bob , respectively which are very close to their ideal values of 0.5 and 1. Distribution of b) HD intra with their respective means (μ HD − intra ) of 32.05 and 31.8, and standard deviations ( HD − intra ) of 4.01 and 4.06 for Key Alice and Key Bob respectively.Distribution of c) CC intra fitted using Gaussian functions with the mean values (μ CC − intra ) of 0.01 and 0.02, and standard deviations ( CC − intra ) of 0.12 and 0.13, for Key Alice and Key Bob , respectively.d) 3D plots for the ACF which examines any short-ranged periodicity within a bit stream plotted for all the 64 for Key Alice and Key Bob , respectively, for a total of 64 lags showing minimal spikes.These results indicate the cryptographic security of the generated keys.A histogram plot of e) Inter-hamming distance (HD inter ) and f) inter-correlation coefficient (CC inter ) between Key Alice and Key Bob , respectively, fitted using Gaussian functions.The mean μ HD − inter and μ CC − inter values were found to be of 31.4 and 0.03 with a  HD − inter and  CC − inter of 3.98 and 0.12, respectively, for Key Alice and Key Bob .A colormap of g) μ HD − inter and h) μ CC − inter between three independent sets of both Pub key and Priv key pairs.

Figure 5 .
Figure 5. Construction and evaluation of cryptographic hash: a) Optical image, b) circuit schematic,and c) modified output characteristics of NOR logic circuit along with its d) truth table which is accomplished by tuning the threshold voltage of MT 2 memtransistor.e-g) Process of creating a hash value H from the digital message A by Alice using her Key Alice (B) in order to verify Bob's authenticity.A 3D histogram plot of h) HD inter and i) CC inter between all the three different pairs of hash values generated using a total of three different input messages.Clearly, each hash value appears to be unique and uncorrelated and thereby corroborates the collision resilience of the hash function.Plot for j) bit uniformity μ U and entropy μ E values of the hash function along with the distribution of k) HD intra and l) CC intra which were found to have near-ideal values.

Figure 6 .
Figure 6.Generation of digital signatures with homomorphic operations: a) A schematic representation of generating a digital signature where the output from the obtained hash function H is combined with Bob's OTP, Key Bob (C) using a homomorphic NAND operation.b) Optical image along with c) circuit schematic and d) output characteristics of the NAND gate constructed using MoS 2 memtransistors where the gate and source of MT 3 are shorted to act as a constant load resistor.Sequence for verifying user authentication.Bob upon receiving e) Alice's hash function H uses his f)Key Bob (C)and proceeds to perform the homomorphic NAND operation as shown in g) to generate a unique signature (E NAND ).In order to verify and confirm Bob's authenticity, Alice proceeds to decrypt Bob's cipher using h) Key Alice (B) which i) matches with her original hash H.

Figure 7 .
Figure 7. Evaluating the cryptographic strength of digital signatures: a) A 3D bar plot of mean bit uniformity μ U and entropy μ E values which reveal a distinct trend where signatures generated using homomorphic NAND and OR operations exhibit higher values of μ U , whereas homomorphic AND displays a lower μ U value.This behavior arises from the inherent bit bias associated with each logical operation.A 3D histogram of b) HD intra along with a c) bar plot of  HD intra demonstrating the uniqueness of each homomorphic signature while also revealing the impact of the bit biases on the hamming values for NAND, OR, and AND operations.A 3D histogram of d) CC intra along with a e) bar plot of  CC intra showing near-ideal values.A 3D histogram of f) HD inter and a g) colormap of  HD inter along with another 3D histogram of h) CC inter and a i) colormap of  CC inter demonstrating the uniqueness of each signature in relation to one another.

Figure 8 .
Figure 8.Multiple Users authentication protocol.A conceptual framework of a user authentication protocol where Alice aims to confirm the authenticity of multiple user recipients, which in this scenario are named Henry, john, and David.a) Initially, Alice creates her original hash function by employing a programmed NOR logic along with her private Key ALice .b) Subsequently, Henry, John, and David execute homomorphic XOR, OR, and AND operations on Alice's hash function with their respective private OTP keys, Key Henry , Key John , and Key David to establish their authenticity.Finally, Alice decrypts the individual homomorphic signatures and recovers her original hash value, thereby verifying the legitimacy of each intended recipient.

Figure 9 .
Figure 9.Comparison between NOR and XOR-based user verification scheme: a-c) Process flow showing the applied homomorphic NAND operation to the encrypted cipher H, which was the result of a logical XOR operation between the digital message A and Alice's Key Alice (B).d,e) Interestingly, during Bob's verification process where Alice gains partial access to the underlying information after she decrypts his homomorphic signature with her Key Alice (B).f) The  HD inter values along with the g)  CC inter values which revealing a significant correlation between the decrypted signature verification cipher (D) and the original digital message M. h) The underlying message is also revealed partially through all the other homomorphic operations.