Updated: January 15, 2020 PQShield Engineering.

Status and Availability to Partners

Q1/2020: PQSoC can be readily demonstrated on FPGA and work towards ASIC demonstration is progressing. The RISC-V core and post-quantum coprocessor are fully functional; the PQSLIB library currently supports about half a dozen different NIST candidate algorithms on all security post-quantum security levels and work is ongoing to incorporate more.

The hardware components have been developed together with post-quantum cryptographic software in a clean-slate co-design process. However, the components are also offered separately; it is possible to integrate the cryptographic coprocessors with proprietary CPU cores (such as those from Intel or ARM), although this will usually increase ownership costs due to licensing fees.

See below for specific algorithm support.

What is a Secure Element?

A secure element is a microcontroller designed to generate and hold secret keys and to perform private key operations such as authentication, decryption, and digital signatures.

Secure elements, smart cards, and embedded security chips form the invisible digital security foundation for our daily lives. Even security professionals do not always know who makes the SIM cards that they trust with their mobile identity, the electronic keys to their car and office doors, or the bank card that protects their money.

Billions of embedded security chips are sold every year, and most of us carry a few everywhere we go. However, the industry behind these small, ubiquitous devices will soon undergo a quiet revolution as the cryptographic standards that underpin their security are being updated in response to the threat posed by quantum computers.

Information about various Secure Element types and recent sales figures can be found from EuroSmart.

Why Post-Quantum Cryptography?

Legacy Cryptography. Cryptographic algorithm standards are defined by organizations such as NIST (National Institute of Standards and Technology), ETSI (European Telecommunications Standards Institute), and IETF (Internet Engineering Task Force). Current solutions are largely built on either RSA or Elliptic Curve - based public-key cryptography, technologies invented in the 1970s and 1980s. Unfortunately we’ve known for a while that these specific schemes are vulnerable to attacks by quantum computers. The quantum attacks require polynomial effort, and therefore increasing key sizes is not a long-term solution as quantum computers can be made proportionally more efficient as well. The algorithms themselves need to be replaced with ones without effective quantum attacks.

Post-Quantum Transition 2015-. The United States government initiated a long-term strategy of “post-quantum transition” in 2015 in response to the threat posed by powerful quantum computing on RSA and Elliptic Curve cryptosystems. There are newer cryptography technologies that are not vulnerable to quantum attacks, notably lattice-based, code-based, multivariate, and hash-based algorithms. However, they have not been previously adopted as standards and hence their usage has been low.

Here’s NSA’s Post-Quantum FAQ from 2016 where the US Government / NSS PQC transition plan is outlined.

NIST Post-Quantum Standardization 2016-2020s. In 2016 NIST launched a timeline for creation of updated, quantum-resistant cryptographic standards. PQShield’s researchers and engineers have been very active in this process, having designed several of the candidate algorithms and published studies about others. As has happened with previous algorithm changes (e.g. SHA, AES algorithms), other standardization bodies have expressed their intention to follow NIST’s lead as the algorithm evaluation and standardization process completes in the early 2020s. We now have a much clearer understanding of the upcoming standards than anyone had only a few years ago.

Compliance. The post-quantum requirement was first proposed for National Security Systems (NSS) which are used to process classified information that needs to remain confidential for decades. However many private sector organizations in banking, finance, telecommunications, and other industries also prefer to use best-in-class protection in their applications. During PQC transition it is not recommended to use older legacy cryptography in new applications and designs, and the new standards will eventually reach all aspects of our digital lives. All new systems fielded in 2020s should be designed with the new cryptography standards in mind.

Official site of the NIST Post-Quantum Project.

Which algorithms are supported?

Multi-algorithm support. The hardware is modular and we are targeting all prominent post-quantum cryptography classes. We aim to support all NIST-approved Post-Quantum Algorithms as soon as they are selected. Note that the system is designed to also support legacy cryptography (RSA and Elliptic Curves) during the transition period.

Note that the same coprocessor supports multiple schemes and our architecture has been designed to be flexible towards tweaks in algorithm details, unlike some “monolithic” pure hardware implementations that will have to be re-engineered (and ASIC re-fabricated!) for each change.

Current status. Currently (Q1/2020) we support about half a dozen prominent algorithms in hardware via the PQSLIB APIs. As PQShield cryptographers and engineers are themselves coauthors of the Falcon signature scheme, Round5 and NTRU KEM / Public Key Encryption algorithms, those had initial priority. We have since extended our implementation effort to other NIST second round candidate algorithms.

We also have a very efficient implementations of the XMSS and SPHINCS+ hash-based signature schemes, which are quite slow on embedded and mobile targets without specific hardware acceleration.

Three ways to support cryptography implementations. The architecture allows three pathways to support cryptography: Coprocessor features, cryptography modules, and ISA extensions. The coprocessor is designed to directly support lattice arithmetic (e.g. RLWE and NTRU, some code-based schemes) and big integer arithmetic (e.g. RSA and ECC cryptography and isogeny-based post-quantum schemes). There are specific features to support code-based cryptography (especially in decoding). Hash-based cryptography is supported by separate dedicated hash modules, while instruction set extensions have been used to speed up certain control logic tasks required by algorithms (such as ternary logic required by some algorithms).

Together with a PQSE full system emulator (that emulates both the RISC-V core and all of the cryptographic peripherals at near real-time speeds) and standard toolchains the integration of hardware-based security and acceleration to existing applications is straightforward.

Configurability. The entire system can be configured to particular application needs with a single configuration file that affects the hardware configuration and cryptography firmware as well. PQSLIB has pure software implementations of all algorithms as well – in case a system designer chooses not to opt-in to some hardware features but would still like to support those. The same C library can also be executed on a PC for server-side development (we are working on server-class HSM solutions).

Is this Quantum Computing?

No. You don’t need a quantum computer or a quantum-secure physical link to run a quantum-secure algorithm, and in most cases you really don’t want to. For example, Quantum Key Distribution (QKD) is limited to physically protecting information in communication wires, and is therefore not even meant to solve the same problems as Post-Quantum Cryptography (PQC): digital signatures, authentication and identity, public key encryption and key exchange in applications such as TLS, WiFi, and 5G. Post-quantum Cryptography is simply a design upgrade on cryptographic standards where the threat of quantum computers has been taken into account.

Here’s an advisory white paper from UK National Cyber Security Centre (NCSC): Quantum-safe cryptography:

Based on current understanding, we believe that for most real-world communications systems, and particularly for government systems, PQC will offer much more effective and efficient security mitigations than QKD.