Paper 2022/1049

Post Quantum Design in SPDM for Device Authentication and Key Establishment

Jiewen Yao, Intel (United States)
Krystian Matusiewicz, Intel (United States)
Vincent Zimmer, Intel (United States)

The Security Protocol and Data Model (SPDM) defines flows to authenticate hardware identity of a computing device. It also allows for establishing a secure session for confidential and integrity protected data communication between two devices. The present version of SPDM, namely version 1.2, relies on traditional asymmetric cryptographic algorithms that are known to be vulnerable to quantum attacks. This paper describes the means by which support for post-quantum (PQ) cryptography can be added to the SPDM protocol in order to enable SPDM for the upcoming world of quantum computing. We examine SPDM 1.2 protocol and discuss how to negotiate the use of post-quantum cryptography algorithms (PQC), how to support device identity reporting, means to authenticate the device, and how to establish a secure session when using PQC algorithms. We consider so called hybrid modes where both classical and PQC algorithms are used to achieve security properties as these modes are important during the transition period. We also share our experience with implementing PQ-SPDM and provide benchmarks for some of the winning NIST PQC algorithms.

Available format(s)
Publication info
Published elsewhere. Cryptography. 2022; 6(4):48
PQ digital signature PQ key establishment post quantum SPDM device authentication device secure session
Contact author(s)
jiewen yao @ intel com
krystian matusiewicz @ intel com
vincent zimmer @ intel com
2022-10-04: revised
2022-08-12: received
See all versions
Short URL
No rights reserved


      author = {Jiewen Yao and Krystian Matusiewicz and Vincent Zimmer},
      title = {Post Quantum Design in SPDM for Device Authentication and Key Establishment},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1049},
      year = {2022},
      doi = {10.3390/cryptography6040048},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.