Post-quantum cryptography challenges for embedded hardware

Classical public-key cryptography derives its security from integer factorisation. Diagram by Venus Kolhi.

Quantum computers bring exponential computing power, ultrafast calculations, advanced simulation and superior optimisation. Entangled or superimposed qubits can help quantum computers perform massive calculations in minutes, whereas classical computing may take billions of years.

While benefits could unlock the mysteries of the universe or make an exceptional drug discovery, the threat to their encryption systems shouldn’t be ignored. In the future adversaries might be able to develop quantum computers on their own, posing a real threat to present encryption systems. Shor’s quantum algorithms can factorise massive numbers and solve discrete logarithms, bypassing current cryptographic algorithms.

The industry is already preparing for ‘harvest now, decrypt later’. Adversaries collect highly encrypted data and store it. They believe that a powerful quantum computer will be able to decrypt sensitive information within a decade or two.

Prevention 

Post-quantum cryptography (PQC) is a field in which cryptographic algorithms are designed to safeguard information even when an attacker uses a powerful quantum computer. PQC algorithms are built on different mathematical models, such as lattices, error codes, matrices, hash trees and polynomial multiplication. These mathematical algorithms are very difficult to solve in real time on classical computers.

At present, quantum computers, owing to cryogenic conditions, fall under enterprise and government regulations and budgets.

The National Institute of Standards and Technology (NIST) is a US federal agency that sets technical and measurement standards for both government and global industry. NIST publishes federal information processing standards (FIPS) and special publication SP-800 series to define global cryptographic algorithms and security practices.

NIST finalised three PQC standards in August 2024. ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures and SLH-DSA (FIPS 205) for hash-based signatures. In March 2025 NIST selected HQC, a code-based mathematical backup to ML-KEM and FN-DSA, a lattice-based signature algorithm. FIPS is expected in 2027.

PQC in the UK

The National Cyber Security Centre (NCSC) of the UK, US allies and many commercial vendors follow NIST-set standards. NCSC has recommended an action plan where systems using public-key cryptography must be discovered and assessed. A migration plan must be ready. 2028-2031 should support a period of upgrade from low-level cybersecurity systems.

From 2031 to 2035 all systems and products must migrate to PQC standards. The official deadline set by NCSC coincides with NIST-defined timeframes. NCSC recommends ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205). It also recommends LMS and XMSS (SP 800-208) for PQC.

PQC for embedded systems

In industrial settings and professional deployment, the lifecycle of an embedded product, such as utility meters, automotive ECUs, EV charging stations, medical implants, smart home devices, satellite payloads, industrial robots, etc, extends up to 10-20 years. Embedded devices are resource-constrained. They operate on ultra-low power with limited storage, connectivity and tight bandwidth.

Most embedded devices don’t have floating-point capabilities. It is difficult to run AI and machine learning algorithms on such devices. QPC is ‘virtually large’ for embedded devices. Migrating to quantum-safe cryptographic infrastructure is a matter of cryptographic research and hardware innovation that leads to low computational overhead.

Large keys

When firmware updates are pushed over-the-air to embedded devices, they verify signatures for authentication. Current cyber security algorithms include RSA (named after its inventor) and elliptic curve cryptography (ECC). ECC P-256 carries 32B public and private keys with a 64B signature.

Post-quantum cryptography relies on hard lattice problems to protect keys and data against a quantum adversary. Diagram by Venus Kolhi.

The focus of PQC is to develop a quantum-resistant authentication. It will prohibit adversaries from forging signatures. QPC algorithms exhibit large public keys and certificates that push bandwidth limits and storage requirements to tens of kB. For example, NIST ML-KEM-768 carries a 1,184B public key and 1,088B ciphertext exchange.

ML-DSA-65 uses a 1,952B public key and a 3309B signature. Signature is about 50-times larger than ECC. Fast implementation extends to 50kB of microcontroller working memory, which is RAM. MCUs typically exhibit 16 or 8kB of RAM memory, which makes memory a bottleneck in QPC.

Lack of hardware accelerators 

Bigger keys and certificates are beginner-level problems in advanced embedded applications. Industrial IoT and advanced embedded products are shipped with dedicated accelerators for Advanced Encryption Standard, which performs efficient data encryption by using the same key for encryption/decryption, secure hashing algorithm (SHA-2 and SHA-3) and public key algorithms RSA and ECC.

Modern SoCs and MCUs contain silicon blocks dedicated to low-power operation. However, none of the shipments support post-quantum cryptographic algorithms.

Standards

Setting standards remains a challenge for futuristic PQC-safe embedded hardware. Multiple regulatory authorities in different countries approve and support such chips.

For example, Korea is developing its PQC standards. NIST PQC-compatible hardware might need to wait. In addition embedded devices are largely based on use cases. A lack of interoperability persists with legacy-embedded hardware.

Not every embedded product needs to be PQC-safe. For example, daily data from an IoT device monitoring temperature conditions need not be secure, while a controller inside a running EV deserves utmost priority to be quantum attack resistant.

Battery drain

LoRaWAN is a low-power, long-range wireless protocol showing poor results when paired with post-quantum cryptography. Data on the internet is shared in packets. The payload in LoRaWAN is between only 51B and 242B.

The 3309B signature of ML-DSA-65 has to be fragmented for transmission and reassembled at the destination. Dozens of data fragments can drain the battery life of embedded devices.

Direct target

Embedded devices, owing to their ease of access, can become a target of physical attack. An adversary can gain secret keys and measure important data. This is known as side-channel analysis. As a consequence the adversary can easily manipulate the device, compromise its safety and programme it for wrongful operation.

Possible solution

Experts suggest the solution is to run a hybrid cryptographic system, where PQC and classical algorithms are run in parallel. If quantum computers ever compromise older cryptographic algorithms, less developed QPCs may still protect the embedded device.

NIST PQC algorithms ML-KEM, ML-DSA and SLH-DSA rely on hashing functions. Current shipments can ‘somewhat’ support them with modification. However, hybrid cryptographic chips are not reliable.

Modifications to SHA-2/SHA-3 chips can produce slower results and drain the battery life of the embedded products. Accelerators dedicated to PQC are three to five years from arriving in the market.

About The Author

Venus Kohli is a freelance technology journalist

See: IBM publishes blueprint for integrating quantum computers into supercomputer clusters

Further information

https://www.nxp.com/docs/en/white-paper/POSTQUANCOMPWPA4.pdf

https://www.swissbit.com/en/news/blog/post-quantum-cryptography-and-the-future-of-embedded-security

https://www.keysight.com/us/en/assets/3125-1290/white-papers/Secure-Implementation-of-Post-Quantum-Cryptography-for-Embedded-Systems.pdf

https://kivicore.com/en/embedded-security-blog/post-quantum-embedded-systems-why-post-quantum-cryptography-matters