Agile Acceleration of Stateful Hash-based Signatures in Hardware

With the development of large-scale quantum computers, the current landscape of asymmetric cryptographic algorithms will change dramatically. Today's standards like RSA, DSA, and ElGamal will no longer provide sufficient security against quantum attackers and need to be replaced with novel algorithms. In the face of these developments, NIST has already started a standardization process for new Key Encapsulation Mechanisms (KEMs) and Digital Signatures (DSs). Moreover, NIST has recommended the two stateful Hash-Based Signatures (HBSs) schemes XMSS and LMS for use in devices with a long expected lifetime and limited capabilities for maintenance. Both schemes are also standardized by the IETF. In this work, we present the first agile hardware implementation that supports both LMS and XMSS. Our design can instantiate either LMS, XMSS, or both schemes using a simple configuration setting. Leveraging the vast similarities of the two schemes, the hardware utilization of the agile design increases by 20% in LUTs and only 3% in Flip Flops (FFs) over a standalone XMSS implementation. Furthermore, our approach can easily be configured with an arbitrary number of hash cores and accelerators for the one-time signatures for different application scenarios. We evaluate our implementation on the Xilinx Artix-7 FPGA platform, which is the recommended target for PQC implementations by NIST. We explore potential tradeoffs in the design space and compare our results to previous work in this field.