Paper 2021/041

Post-Quantum LMS and SPHINCS+ Hash-Based Signatures for UEFI Secure Boot

Panos Kampanakis, Peter Panburana, Michael Curcio, Chirag Shroff, and Md Mahbub Alam

Abstract

The potential development of large-scale quantum computers is raising concerns among IT and security research professionals due to their ability to solve (elliptic curve) discrete logarithm and integer factorization problems in polynomial time. This would jeopardize IT security as we know it. In this work, we investigate two quantum-safe, hash-based signature schemes published by the Internet Engineering Task Force and submitted to the National Institute of Standards and Technology for use in secure boot. We evaluate various parameter sets for the use-case in question and we prove that post-quantum signatures with less than one second signing and less than 10ms verification would not have material impact (less than1‰) on secure boot. We evaluate the hierarchical design of these signatures in hardware-based and virtual secure boot. In addition, we develop Hardware Description Language code and show that the code footprint is just a few kilobytes in size which would fit easily in almost all modern FPGAs. We also analyze and evaluate potential challenges for integration in existing technologies and we discuss considerations for vendors embarking on a journey of image signing with hash-based signatures.

Note: Initially uploaded to Cryptology ePrint Archive on Jan 11, 2021. Re-uploaded on June 4, 2021 with two sentences stating that the customized parameter sets perform significantly faster signing than the original SPHINCS+ parameter sets corrected.