First stage boot constraints when attempting deployment with PQ/T (hybrid)
It’s possible that devices have a long life span. In certain industries, such as automotive or critical national infrastructure, embedded components could be in use long after the point at which quantum computing becomes a relevant threat. This makes it all the more important for devices to be quantum ready today. However, mandated crypto-agility and PQ/T make it difficult to apply in situations where resources like silicon area, memory, and energy consumption are constrained. Additionally, for secure boot for embedded devices, the public key is fixed in the hardware and can’t be updated post-manufacture.
The solution
PQPlatform-Hash uses hash-based signature schemes, rather than the lattice-based cryptography algorithms specified by the NIST standards. LMS and XMSS are the only two quantum-safe algorithms that can be deployed in a non-hybrid configuration, and unlike the newer algorithms, are likely to require fewer parameter adjustments in future. This makes LMS and XMSS ideal for verification in first stage boot loaders. PQPlatform-Hash is optimized for resource-constrained devices, as it connects to the main CPU of the embedded device through an AXI-Lite interface, requiring only 38kGE, and allowing much shorter secure boot times.
