Paper 2021/041

Post-Quantum LMS and SPHINCS+ Hash-Based Signatures for UEFI Secure Boot

Panos Kampanakis, Peter Panburana, Michael Curcio, Chirag Shroff, and Md Mahbub Alam


The potential development of large-scale quantum computers is raising concerns among IT and security research professionals due to their ability to solve (elliptic curve) discrete logarithm and integer factorization problems in polynomial time. This would jeopardize IT security as we know it. In this work, we investigate two quantum-safe, hash-based signature schemes published by the Internet Engineering Task Force and submitted to the National Institute of Standards and Technology for use in secure boot. We evaluate various parameter sets for the use-case in question and we prove that post-quantum signatures with less than one second signing and less than 10ms verification would not have material impact (less than1‰) on secure boot. We evaluate the hierarchical design of these signatures in hardware-based and virtual secure boot. In addition, we develop Hardware Description Language code and show that the code footprint is just a few kilobytes in size which would fit easily in almost all modern FPGAs. We also analyze and evaluate potential challenges for integration in existing technologies and we discuss considerations for vendors embarking on a journey of image signing with hash-based signatures.

Note: Initially uploaded to Cryptology ePrint Archive on Jan 11, 2021. Re-uploaded on June 4, 2021 with two sentences stating that the customized parameter sets perform significantly faster signing than the original SPHINCS+ parameter sets corrected.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
HBS signaturesPQ image signingPQ root of trustpost-quantum secure boot
Contact author(s)
kpanos @ amazon com
2021-06-05: last of 2 revisions
2021-01-12: received
See all versions
Short URL
Creative Commons Attribution


      author = {Panos Kampanakis and Peter Panburana and Michael Curcio and Chirag Shroff and Md Mahbub Alam},
      title = {Post-Quantum LMS and SPHINCS+ Hash-Based Signatures for UEFI Secure Boot},
      howpublished = {Cryptology ePrint Archive, Paper 2021/041},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.