Paper 2018/261

Post-Quantum EPID Signatures from Symmetric Primitives

Dan Boneh, Saba Eskandarian, and Ben Fisch


EPID signatures are used extensively in real-world systems for hardware enclave attestation. As such, there is a strong interest in making these schemes post-quantum secure. In this paper we initiate the study of EPID signature schemes built only from symmetric primitives, such as hash functions and PRFs. We present two constructions in the random oracle model. The first is a scheme satisfying the EPID signature syntax and security definitions needed for private hardware attestation used in Intel’s SGX. The second achieves significantly shorter signatures for many applications, including the use case of remote hardware attestation. While our EPID signatures for attestation are longer than standard post-quantum signatures, they are short enough for applications where the data being signed is large, such as analytics on large private data sets, or streaming media to a trusted display. We evaluate several instantiations of our schemes so that the costs and benefits of these constructions are clear. Along the way we also give improvements to the zero-knowledge Merkle inclusion proofs of Derler et al. (2017).

Available format(s)
Publication info
Published elsewhere. Major revision. CT-RSA 2019
EPID Signatures
Contact author(s)
saba @ cs stanford edu
2018-12-11: last of 3 revisions
2018-03-09: received
See all versions
Short URL
Creative Commons Attribution


      author = {Dan Boneh and Saba Eskandarian and Ben Fisch},
      title = {Post-Quantum {EPID} Signatures from Symmetric Primitives},
      howpublished = {Cryptology ePrint Archive, Paper 2018/261},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.