Post-Quantum Cryptography: Preparing Hardware for the Quantum Threat
Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to remain secure against both classical and quantum computer attacks. As quantum computers advance, current public-key algorithms like RSA and ECC will become vulnerable, necessitating new hardware implementations of quantum-resistant alternatives.
The Quantum Threat
- Shor's Algorithm: Breaks RSA, ECC, DSA in polynomial time
- Grover's Algorithm: Halves symmetric key strength (AES-128 → 64-bit)
- Timeline: Cryptographically-relevant quantum computers expected 2030-2040
- Harvest Now, Decrypt Later: Encrypted data captured today at risk
- NIST Standardization: PQC standards finalized in 2024
NIST PQC Standards
Selected Algorithms
| Algorithm | Type | Application | Hard Problem |
|---|---|---|---|
| ML-KEM (Kyber) | KEM | Key exchange | Module-LWE |
| ML-DSA (Dilithium) | Signature | Digital signatures | Module-LWE |
| SLH-DSA (SPHINCS+) | Signature | Stateless signatures | Hash-based |
Algorithm Comparison
| Parameter | RSA-2048 | ECC P-256 | ML-KEM-768 | ML-DSA-65 |
|---|---|---|---|---|
| Public Key | 256 B | 64 B | 1,184 B | 1,952 B |
| Private Key | 256 B | 32 B | 2,400 B | 4,000 B |
| Ciphertext/Signature | 256 B | 64 B | 1,088 B | 3,293 B |
| Quantum Safe | No | No | Yes | Yes |
Lattice-Based Cryptography
Learning With Errors (LWE)
Foundation of ML-KEM and ML-DSA:
- Find secret s given (A, b = As + e mod q)
- Error term e makes problem hard
- No known quantum algorithm breaks lattice problems efficiently
LWE Problem: Given: - Random matrix A (n × m) - Vector b = A × s + e (mod q) Where: - s = secret vector - e = small error vector Find s is computationally hard! For ML-KEM (Kyber): - Ring/Module variant for efficiency - Polynomial operations in Z_q[X]/(X^n + 1) - n = 256, q = 3329
Key Operations
- Polynomial Multiplication: Core operation, use NTT
- Sampling: Generate random polynomials from distribution
- Encoding/Decoding: Message to polynomial mapping
- Compression: Reduce ciphertext size
Hardware Implementation
NTT (Number Theoretic Transform)
Critical for efficient polynomial multiplication:
NTT Butterfly Unit
// Cooley-Tukey butterfly for NTT module ntt_butterfly #( parameter Q = 3329, // Kyber modulus parameter WIDTH = 16 )( input [WIDTH-1:0] a, b, input [WIDTH-1:0] omega, // Twiddle factor output [WIDTH-1:0] a_out, b_out ); wire [2*WIDTH-1:0] product; wire [WIDTH-1:0] t; // t = b × omega mod q assign product = b * omega; mod_reduce #(.Q(Q)) reduce (.in(product), .out(t)); // Butterfly outputs assign a_out = (a + t) % Q; assign b_out = (a - t + Q) % Q; endmodule
Architecture Options
| Architecture | Area | Throughput | Use Case |
|---|---|---|---|
| Serial | Small | Low | IoT, constrained |
| Parallel NTT | Medium | Medium | General purpose |
| Fully Parallel | Large | High | High-performance |
Resource Estimates (Kyber-768)
- Compact: ~5K LUTs, ~1K cycles per operation
- Balanced: ~15K LUTs, ~200 cycles per operation
- High-speed: ~50K LUTs, ~50 cycles per operation
Side-Channel Protection
Vulnerabilities
PQC algorithms have unique side-channel concerns:
- Timing: Rejection sampling, decoding failures
- Power: NTT butterflies, modular reduction
- Fault Injection: Skip validity checks
Countermeasures
- Masking: Split sensitive values into shares
- Shuffling: Randomize operation order
- Constant-time: Avoid data-dependent branches
- Blinding: Randomize intermediate values
Masked NTT
Boolean or arithmetic masking of polynomial coefficients:
- Each coefficient split into multiple shares
- Operations performed on shares independently
- Significant area/performance overhead (~2-4x)
System Integration
Hybrid Cryptography
Combine classical and PQC for transition period:
- TLS 1.3 hybrid key exchange
- PQC + ECDH combined shared secret
- Fallback if either fails
Protocol Support
- TLS 1.3: PQC key exchange supported
- SSH: PQC key exchange in development
- IPsec: PQC integration ongoing
- Code Signing: ML-DSA for firmware
Migration Considerations
- Larger key/signature sizes impact bandwidth
- Higher compute requirements than ECC
- Memory requirements for key storage
- Backward compatibility during transition
Hash-Based Signatures
SLH-DSA (SPHINCS+)
Stateless hash-based signature scheme:
- Security based only on hash function
- No lattice assumptions required
- Conservative security choice
- Larger signatures (~8-50 KB)
Use Cases
- Firmware signing (size less critical)
- Root certificates
- Long-term archival signatures
Conclusion
Post-quantum cryptography is no longer a future concern—NIST standards are finalized, and industry is actively deploying PQC. Hardware implementations must address the larger key sizes, different computational primitives (NTT), and new side-channel attack surfaces while meeting performance and area requirements.
Vcores offers post-quantum cryptography IP cores including ML-KEM (Kyber) and ML-DSA (Dilithium) accelerators. Our implementations feature configurable security levels, side-channel countermeasures, and optimized NTT engines for efficient lattice operations.
