Computing a 41 KB signature in 16 KB of RAM

Andreas Hülsing, Joost Rijneveld, and Peter Schwabe

Abstract: This paper shows that it is feasible to implement the stateless hash-based signature scheme SPHINCS-256 on an embedded microprocessor with memory even smaller than a signature and limited computing power. We demonstrate that it is possible to generate and verify the 41KB signature on an ARM Cortex M3 that only has 16KB of memory available. We provide benchmarks for our implementation which show that this can be used in practice. To analyze the costs of using the stateless SPHINCS scheme instead of its stateful alternatives, we also implement XMSSMT on this platform and give a comparison.

Paper: 2016-02-03 (older version: )

Source code: 2016-02-09 (older versions: , )

Related talks:
ARMed SPHINCS: Computing a 41 KB signature in 16 KB of RAM
2016-03-18 – PQCRYPTO pre-review –
2016-03-07 – PKC 2016
2016-02-05 – DS Lunch colloquium

author    = {Andreas H\"ulsing and Joost Rijneveld and Peter Schwabe},
title     = {{ARMed SPHINCS} -- Computing a 41KB signature in 16KB of RAM},
booktitle = {Public Key Cryptography -- {PKC 2016}},
editor    = {Giuseppe Persiano and Bo-Yin Yang},
publisher = {Springer-Verlag Berlin Heidelberg},
series    = {Lecture Notes in Computer Science},
volume    = {9614},
year      = {2016},
pages     = {446--470},
url       = {},