A Quantum-Resistant and Fast Secure Boot for IoT Devices Using Hash-Based Signatures and SRAM PUFs

Abstract

Secure boot is a key security feature of trusted IoT devices. In this paper, a two-stage secure boot is proposed with two benefits: quantum-resistance and fast execution. In the verification of the first stage, an HMAC is used with a secret key reconstructed from an on-chip SRAM Physical Unclonable Function (PUF) and non-sensitive Helper Data (HD). Since the SRAM cells are classified conveniently in a registration phase, a simple repetition error correcting code is employed along with small-sized Helper Data. In the second-stage verification, the IoT device verifies the application firmware with a Winternitz One-Time Signature (WOTS+), which forms part of an eXtended Merkle Signature Scheme (XMSS). The full XMSS signature can be verified externally by the user of the device. Simple instances of tweakable hash functions proposed in SPHINCS+ are used for WOTS+ and XMSS schemes. The proposal is evaluated on the ESP32 microcontroller taking advantage of its available SHA accelerator. Working at 160 MHz, the first-stage verification takes only 6.04 ms. Excluding the message hashing, the second-stage verification takes from 5.12 to 25.83 ms depending on signature parameters. Compared with the XMSS RFC8391 reference implementation, from 304 to 608 bytes are not needed to be stored in the device. For a security of 128 bits, the proposal is from 17.25 to 39.77 times faster in cycles than the Elliptic Curve Digital Signature Algorithm (ECDSA) and saves 2992 bytes of flash memory.