XMSS and Embedded Systems

XMSS Hardware Accelerators for RISC-V
  • Wen WangEmail author
  • Bernhard Jungk
  • Julian Wälde
  • Shuwen Deng
  • Naina Gupta
  • Jakub SzeferEmail author
  • Ruben NiederhagenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11959)


We describe a software-hardware co-design for the hash-based post-quantum signature scheme XMSS on a RISC-V embedded processor. We provide software optimizations for the XMSS reference implementation for SHA-256 parameter sets and several hardware accelerators that allow to balance area usage and performance based on individual needs. By integrating our hardware accelerators into the RISC-V processor, the version with the best time-area product generates a key pair (that can be used to generate \(2^{10}\) signatures) in 3.44 s, achieving an over \(54 \times \) speedup in wall-clock time compared to the pure software version. For such a key pair, signature generation takes less than 10 ms and verification takes less than 6 ms, bringing speedups of over \(42 \times \) and \(17 \times \) respectively. We tested and measured the cycle count of our implementation on an Intel Cyclone V SoC FPGA. The integration of our XMSS accelerators into an embedded RISC-V processor shows that it is possible to use hash-based post-quantum signatures for a large variety of embedded applications.


XMSS Hash-based signatures Post-quantum cryptography Hardware accelerator FPGA RISC-V 



This work was supported in part by NSF grant 1716541. Part of the research was performed when the second author was affiliated with Fraunhofer Singapore.


  1. 1.
    Amiet, D., Curiger, A., Zbinden, P.: FPGA-based accelerator for post-quantum signature scheme SPHINCS-256. Crypt. Hardw. Embed. Syst. (CHES) 2018(1), 18–39 (2018). Open AccessGoogle Scholar
  2. 2.
    Aumasson, J.P., et al.: SPHINCS+ – submission to the 2nd round of the NIST post-quantum project. Technical report (2019), specification document (part of the submission package).
  3. 3.
    Aysu, A., Schaumont, P.: Precomputation methods for faster and greener post-quantum cryptography on emerging embedded platforms. IACR ePrint Archive, Report 2015/288 (2015)Google Scholar
  4. 4.
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-Quantum Cryptography. Springer, Heidelberg (2009). Scholar
  5. 5.
    Bernstein, D., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). Scholar
  6. 6.
    Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). second Version, IACR ePrint Archive, Report 2011/484CrossRefGoogle Scholar
  7. 7.
    Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008). Scholar
  8. 8.
    García, R., Algredo-Badillo, I., Morales-Sandoval, M., Feregrino-Uribe, C., Cumplido, R.: A compact FPGA-based processor for the secure hash algorithm SHA-256. Comput. Electr. Eng. 40(1), 194–202 (2014)CrossRefGoogle Scholar
  9. 9.
    Ghosh, S., Misoczki, R., Sastry, M.R.: Lightweight post-quantum-secure digital signature approach for IoT motes. IACR ePrint Archive, Report 2019/122 (2019)Google Scholar
  10. 10.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Symposium on the Theory of Computing (STOC), pp. 212–219. ACM (1996)Google Scholar
  11. 11.
    Higginbotham, S.: The rise of RISC - [opinion]. IEEE Spectr. 55(8), 18 (2018)CrossRefGoogle Scholar
  12. 12.
    Homsirikamol, E., Rogawski, M., Gaj, K.: Throughput vs. area trade-offs in high-speed architectures of five round 3 SHA-3 candidates implemented using Xilinx and altera FPGAs. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 491–506. Springer, Heidelberg (2011). Scholar
  13. 13.
    Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). Scholar
  14. 14.
    Hülsing, A., Busold, C., Buchmann, J.: Forward secure signatures on smart cards. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 66–80. Springer, Heidelberg (2013). Scholar
  15. 15.
    Hülsing, A., Butin, D., Gazdag, S., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle signature scheme. RFC 8391, 1–74 (2018)Google Scholar
  16. 16.
    Hülsing, A., Rijneveld, J., Schwabe, P.: ARMed SPHINCS. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 446–470. Springer, Heidelberg (2016). Scholar
  17. 17.
    Kahri, F., Mestiri, H., Bouallegue, B., Machhout, M.: Efficient FPGA hardware implementation of secure hash function SHA-256/Blake-256. In: Systems, Signals and Devices (SSD), pp. 1–5. IEEE (2015)Google Scholar
  18. 18.
    McGrew, D., Curcio, M., Fluhrer, S.: Hash-based signatures. cfrg draft-mcgrew-hash-sigs-1, pp. 1–60 (2018)Google Scholar
  19. 19.
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). Scholar
  20. 20.
    Merritt, R.: Microsoft and Google planning silicon-level security. EE Times Asia, August 2018.
  21. 21.
    NIST: FIPS PUB 180–4: Secure Hash Standard. National Institute of Standards and Technology (2012)Google Scholar
  22. 22.
    NIST: FIPS PUB 186–4: Digital Signature Standard. National Institute of Standards and Technology (2013)Google Scholar
  23. 23.
    Padhi, M., Chaudhari, R.: An optimized pipelined architecture of SHA-256 hash function. In: Embedded Computing and System Design (ISED), pp. 1–4. IEEE (2017)Google Scholar
  24. 24.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Foundations of Computer Science (FOCS), pp. 124–134. IEEE (1994)Google Scholar
  25. 25.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Shoufan, A., Huber, N., Molter, H.G.: A novel cryptoprocessor architecture for chained Merkle signature scheme. Microprocess. Microsyst. 35(1), 34–47 (2011)CrossRefGoogle Scholar
  27. 27.
    Teich, J.: Hardware/software codesign: the past, the present, and predicting the future. Proc. IEEE 100, 1411–1430 (2012)CrossRefGoogle Scholar
  28. 28.
    Wang, W., et al.: XMSS and embedded systems – XMSS hardware accelerators for RISC-V. IACR ePrint Archive, Report 2018/1225 (2018)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Yale UniversityNew HavenUSA
  2. 2.MunichGermany
  3. 3.Fraunhofer SITDarmstadtGermany
  4. 4.Fraunhofer SingaporeSingaporeSingapore

Personalised recommendations