An Efficient Software Implementation of the Hash-Based Signature Scheme MSS and Its Variants

  • Ana Karina D. S. de Oliveira
  • Julio López
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9230)


In this work, we describe an optimized software implementation of the Merkle digital signature scheme (MSS) and its variants GMSS, XMSS and \(\mathrm{XMSS}^\mathrm{MT}\) using the vector instruction set AVX2 on Intel’s Haswell processor. Our implementation uses the multi-buffer approach for speeding up key generation, signing and verification on these schemes. We selected a set of parameters to maintain a balance among security level, key sizes and signature size. We aligned these parameters with the ones used in the hash-based signature schemes LDWM and XMSS. We report the performance results of our implementation on a modern Intel Core i7 3.4 GHz. In particular, a signing operation in the XMSS scheme can be computed in 2,001,479 cycles (1,694 signatures per second) at the 128-bit security level (against quantum attacks) using the SHA2-256 hash function, a tree of height 60 and 6 layers. Our results indicate that the post-quantum hash-based signature scheme \(\mathrm{XMSS}^\mathrm{MT}\) offers high security and performance for several parameters on modern processors.


Digital signature Scheme xmss Merkle tree Post-quantum cryptography 



The authors would like to thank the anonymous referees for their valuable comments and suggestions to improve the quality of this paper.

Supplementary material


  1. 1.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. theory 22, 44–654 (1976)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Bremen, L., Kluge, J., Ziefle, M., Modabber, A., Goloborodko, E., Hölzle, F.: “Two faces and a hand scan”- pre- and postoperative insights of patients undergoing an orthognathic surgery. In: Stephanidis, C. (ed.) HCI 2014, Part II. CCIS, vol. 435, pp. 389–394. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  3. 3.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  5. 5.
    Reyzin, L., Reyzin, N.: Better than BiBa: short one-time signatures with fast signing and verifying. In: Batten, L.M., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 144–153. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  6. 6.
    Lamport, L.: Constructing Digital Signatures from a One Way Function Technical report SRI-CSL-98, SRI International Computer Science Laboratory (1979)Google Scholar
  7. 7.
    Buchmann, J., García, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  8. 8.
    NIST.: Digital Signatures Algorithm (DSA). FIPS-186 (1994).
  9. 9.
    eBACS: ECRYPT Benchmarking of Cryptographic Systems SUPERCOP 20140924 (2014).
  10. 10.
    Gosney, J.: The sse2/xop implementation of sha256 (2013).
  11. 11.
    Johnson, D., Menezes, A., Vanstone, S.: Elliptic curve digital signature algorithm ECDSA. Int. J. Inf. Secur. 1, 36–63 (2001)CrossRefGoogle Scholar
  12. 12.
    Jakobsson, M., Leighton, T., Micali, S., Szydlo, M.: Fractal merkle tree representation and traversal. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 314–326. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  13. 13.
    McGrew, D., Curcio, M.: Hash-Based Signatures draft-mcgrew-hash-sigs-02. Crypto Forum Research Group, Internet Draft, Cisco Systems (2014)Google Scholar
  14. 14.
    Buchmann, J., Dahmen, E., Szydlo, M.: Hash-based digital signature schemes. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 35–92. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Szydlo, M.: Merkle tree traversal in log space and time. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 541–554. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  16. 16.
    Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  17. 17.
    Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  18. 18.
    Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSS\(^\text{ MT }\). In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES Workshops 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  19. 19.
    Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, pp. 124–134. IEEE Computer Society Press (1994)Google Scholar
  20. 20.
    Practical Forward Secure Signature using Minimal Security Assumptions. Ph.D. thesis. TU Darmstadt, Darmstadt, August 2013Google Scholar
  21. 21.
    NIST.: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Computer Security Division - Information Technology Laboratory - NIST Special Publication 800–90A (2012).
  22. 22.
    Bernstein, D., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schwabe, P., O’Hearn, Z.: SPHINCS: practical stateless hash-based signatures. Cryptology ePrint Archive - Report 2014/795 (2014)Google Scholar
  23. 23.
    Merkle, R.C.: Secrecy, Authentication, and Public Key Systems. Stanford Ph.D. thesis (1979)Google Scholar
  24. 24.
    Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  25. 25.
    Hülsing, A., Butin, D., Gazdag, S.: XMSS: Extended Hash-Based Signatures draft-xmss-00. Crypto Forum Research Group, Internet Draft (2015)Google Scholar
  26. 26.
    Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  27. 27.
    Guilfor, J., Yap, K., Gopal, V.: Fast SHA-256 Implementations on Intel Architecture Processors. IA Architects Intel Corporation (2012).
  28. 28.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Ana Karina D. S. de Oliveira
    • 1
  • Julio López
    • 2
  1. 1.Federal University of Mato Grosso Do Sul (FACOM-UFMS)Campo GrandeBrazil
  2. 2.State University of Campinas (IC-UNICAMP)CampinasBrazil

Personalised recommendations