International Association
for Cryptologic Research

We report on efficient and secure hardware implementation techniques for the FIPS 205 SLH-DSA Hash-Based Signature Standard. SLotH supports all 12 parameter sets of SLH-DSA. The configurable architecture contains Keccak/SHAKE, SHA2-256, and SHA2-512 cores, and can protect secret key material with side-channel secure PRF and Winternitz chains. We demonstrate that very significant performance gains can be obtained from hardware features that facilitate hash padding formats and iterative hashing specific to SLH-DSA. These features make SLH-DSA on SLotH many times faster compared to similarly-sized general-purpose hash accelerators. A small RISC-V control core executes the drivers, as is typical in RoT systems such as OpenTitan or Caliptra.

Compared to unaccelerated microcontroller implementations, the performance of SLotH's SHAKE variants is up to $300\times$ faster; signature generation with 128f parameter set is is 4,903,978 cycles, while signature verification with 128s parameter set is only 179,603 cycles. The SLH-DSA-SHA2 parameter sets have approximately half of the speed. We observe that the signature verification performance of SLH-DSA's ``s'' parameter sets is generally better than that of accelerated ECDSA or Dilithium on similarly-sized RoT targets. The area of the full SLotH system is small, from 63 kGE (SHA2, Cat 1 only) to 155 kGe (all parameter sets). Keccak Threshold Implementation adds another 130 kGE.

We provide sensitivity analysis of SLH-DSA in relation to side-channel leakage. We show experimentally that an SLH-DSA implementation with CPU hashing will rapidly leak the SK.seed master key. We perform a 100,000-trace TVLA leakage assessment with a protected SLotH unit.