FAQ

Status and Availability to Partners

PQSoC can be readily demonstrated on FPGA and work towards ASIC demonstration is progressing. The RISC-V core and post-quantum coprocessor are fully functional; the PQSLIB library currently supports about half a dozen different NIST candidate algorithms on all security post-quantum security levels and work is ongoing to incorporate more.

The hardware components have been developed together with post-quantum cryptographic software in a clean-slate co-design process. However, the components are also offered separately; it is possible to integrate the cryptographic coprocessors with proprietary CPU cores (such as those from Intel or ARM), although this will usually increase ownership costs due to licensing fees.

See below for specific algorithm support.

What is a Secure Element?

A secure element is a microcontroller designed to generate and hold secret keys and to perform private key operations such as authentication, decryption, and digital signatures.

Secure elements, smart cards, and embedded security chips form the invisible digital security foundation for our daily lives. Even security professionals do not always know who makes the SIM cards that they trust with their mobile identity, the electronic keys to their car and office doors, or the bank card that protects their money.

Billions of embedded security chips are sold every year, and most of us carry a few everywhere we go. However, the industry behind these small, ubiquitous devices will soon undergo a quiet revolution as the cryptographic standards that underpin their security are being updated in response to the threat posed by quantum computers.

Information about various Secure Element types and recent sales figures can be found from EuroSmart.

Why Post-Quantum Cryptography?

Legacy Cryptography. Cryptographic algorithm standards are defined by organizations such as NIST (National Institute of Standards and Technology), ETSI (European Telecommunications Standards Institute), and IETF (Internet Engineering Task Force). Current solutions are largely built on either RSA or Elliptic Curve - based public-key cryptography, technologies invented in the 1970s and 1980s. Unfortunately we’ve known for a while that these specific schemes are vulnerable to attacks by quantum computers. The quantum attacks require polynomial effort, and therefore increasing key sizes is not a long-term solution as quantum computers can be made proportionally more efficient as well. The algorithms themselves need to be replaced with ones without effective quantum attacks.

Post-Quantum Transition 2015-. The United States government initiated a long-term strategy of “post-quantum transition” in 2015 in response to the threat posed by powerful quantum computing on RSA and Elliptic Curve cryptosystems. There are newer cryptography technologies that are not vulnerable to quantum attacks, notably lattice-based, code-based, multivariate, and hash-based algorithms. However, they have not been previously adopted as standards and hence their usage has been low.

Here’s NSA’s Post-Quantum FAQ from 2016 where the US Government / NSS PQC transition plan is outlined.

NIST Post-Quantum Standardization 2016-2020s. In 2016 NIST launched a timeline for creation of updated, quantum-resistant cryptographic standards. PQShield’s researchers and engineers have been very active in this process, having designed several of the candidate algorithms and published studies about others. As has happened with previous algorithm changes (e.g. SHA, AES algorithms), other standardization bodies have expressed their intention to follow NIST’s lead as the algorithm evaluation and standardization process completes in the early 2020s. We now have a much clearer understanding of the upcoming standards than anyone had only a few years ago.

Compliance. The post-quantum requirement was first proposed for National Security Systems (NSS) which are used to process classified information that needs to remain confidential for decades. However many private sector organizations in banking, finance, telecommunications, and other industries also prefer to use best-in-class protection in their applications. During PQC transition it is not recommended to use older legacy cryptography in new applications and designs, and the new standards will eventually reach all aspects of our digital lives. All new systems fielded in 2020s should be designed with the new cryptography standards in mind.

Official site of the NIST Post-Quantum Project.

Hardware-Software Codesign

Configurability. The entire system can be configured to particular application needs with a single configuration file that affects the hardware configuration and cryptography firmware as well. PQSLIB has pure software implementations of all algorithms as well – in case a system designer chooses not to opt-in to some hardware features but would still like to support those. The same C library can also be executed on a PC for server-side development (we are working on server-class HSM solutions).

Multi-algorithm support. The hardware is modular and we are targeting all prominent post-quantum cryptography classes. We aim to support all NIST-approved Post-Quantum Algorithms as soon as they are selected. Note that the system is designed to also support legacy cryptography (RSA and Elliptic Curves) during the transition period.

Note that the same coprocessor supports multiple schemes and our architecture has been designed to be flexible towards tweaks in algorithm details, unlike some “monolithic” pure hardware implementations that will have to be re-engineered (and ASIC re-fabricated!) for each change.

Three ways to support cryptography implementations. The architecture allows three pathways to support cryptography: Coprocessor features, cryptography modules, and ISA extensions. The coprocessor is designed to directly support lattice arithmetic (e.g. RLWE and NTRU, some code-based schemes) and big integer arithmetic (e.g. RSA and ECC cryptography and isogeny-based post-quantum schemes). There are specific features to support code-based cryptography (especially in decoding). Hash-based cryptography is supported by separate dedicated hash modules, while instruction set extensions have been used to speed up certain control logic tasks required by algorithms (such as ternary logic required by some algorithms).

Together with a PQSE full system emulator (that emulates both the RISC-V core and all of the cryptographic peripherals at near real-time speeds) and standard toolchains the integration of hardware-based security and acceleration to existing applications is straightforward.

Which algorithms are supported?

These algorithms are under the compliance suite, and available via the library for RV32/RV64, i386/AMD64, and ARMv7/ARMv8 targets. All are under PQShield commercial license and available now. Memory configuration may restrict suitability on microcontroller targets.

Legend: PK = Public Key bytes, SK = Secret Key bytes, Sig = Signature (message extension) bytes, CT = Ciphertext bytes, SS = Shared Secret, in bytes.

XMSS (ssig)

Hash-based stateful signature scheme. Final NIST SP 800-208 parameters.

Library ID PK SK Sig (Variant)
pqsl_xmss_sha2_10_256 64 132 2500 XMSS-SHA2_10_256
pqsl_xmss_sha2_10_192 48 100 1492 XMSS-SHA2_10_192
pqsl_xmss_shake256_10_256 64 132 2500 XMSS-SHAKE256_10_256
pqsl_xmss_shake256_10_192 48 100 1492 XMSS-SHAKE256_10_192
Library ID PK SK Sig (Variant)
pqsl_xmssmt_sha2_20_4_256 64 131 9251 XMSSMT-SHA2_20/4_256
pqsl_xmssmt_sha2_40_8_256 64 133 18469 XMSSMT-SHA2_40/8_256
pqsl_xmssmt_sha2_60_12_256 64 136 27688 XMSSMT-SHA2_60/12_256
pqsl_xmssmt_sha2_20_4_192 48 99 5403 XMSSMT-SHA2_20/4_192
pqsl_xmssmt_sha2_40_8_192 48 101 10781 XMSSMT-SHA2_40/8_192
pqsl_xmssmt_sha2_60_12_192 48 104 16160 XMSSMT-SHA2_60/12_192
pqsl_xmssmt_shake256_20_4_256 64 131 9251 XMSSMT-SHAKE256_20/4_256
pqsl_xmssmt_shake256_40_8_256 64 133 18469 XMSSMT-SHAKE256_40/8_256
pqsl_xmssmt_shake256_60_12_256 64 136 27688 XMSSMT-SHAKE256_60/12_256
pqsl_xmssmt_shake256_20_4_192 48 99 5403 XMSSMT-SHAKE256_20/4_192
pqsl_xmssmt_shake256_40_8_192 48 101 10781 XMSSMT-SHAKE256_40/8_192
pqsl_xmssmt_shake256_60_12_192 48 104 16160 XMSSMT-SHAKE256_60/12_192

All 44 parameter sets are coded up, but these 16 are currently recommended.

CRYSTALS-KYBER (kem)

Lattice-based Key Establishment. NIST PQC Round 3 (Finalist).

Library ID PK SK CT SS (Variant)
pqsl_kyber512 800 1632 768 32 Kyber512
pqsl_kyber768 1184 2400 1088 32 Kyber768
pqsl_kyber1024 1568 3168 1568 32 Kyber1024
pqsl_kyber90s512 800 1632 768 32 Kyber512-90s
pqsl_kyber90s768 1184 2400 1088 32 Kyber768-90s
pqsl_kyber90s1024 1568 3168 1568 32 Kyber1024-90s

NTRU (kem)

Lattice-based Key Establishment. NIST PQC Round 3 (Finalist).

Library ID PK SK CT SS (Variant)
pqsl_ntruhps2048509 699 935 699 32 ntruhps2048509
pqsl_ntruhps2048677 930 1234 930 32 ntruhps2048677
pqsl_ntruhps4096821 1230 1590 1230 32 ntruhps4096821
pqsl_ntruhrss701 1138 1450 1138 32 ntruhrss701

SABER (kem)

Lattice-based Key Establishment. NIST PQC Round 3 (Finalist).

Library ID PK SK CT SS (Variant)
pqsl_saber 992 2304 1088 32 Saber
pqsl_lightsaber 672 1568 736 32 LightSaber
pqsl_firesaber 1312 3040 1472 32 FireSaber
pqsl_usaber 992 2208 1088 32 uSaber
pqsl_ulightsaber 672 1504 736 32 uLightSaber
pqsl_ufiresaber 1312 2912 1472 32 uFireSaber
pqsl_saber90s 992 2304 1088 32 Saber-90s
pqsl_lightsaber90s 672 1568 736 32 LightSaber-90s
pqsl_firesaber90s 1312 3040 1472 32 FireSaber-90s
pqsl_usaber90s 992 2208 1088 32 uSaber-90s
pqsl_ulightsaber90s 672 1504 736 32 uLightSaber-90s
pqsl_ufiresaber90s 1312 2912 1472 32 uFireSaber-90s

Classic McEliece (kem)

Code-based Key Establishment. NIST PQC Round 3 (Finalist).

Library ID PK SK CT SS (Variant)
pqsl_mceliece348864 261120 6492 128 32 mceliece348864
pqsl_mceliece460896 524160 13608 188 32 mceliece460896
pqsl_mceliece6688128 1044992 13932 240 32 mceliece6688128
pqsl_mceliece6960119 1047319 13948 226 32 mceliece6960119
pqsl_mceliece8192128 1357824 14120 240 32 mceliece8192128
pqsl_mceliece348864f 261120 6492 128 32 mceliece348864f
pqsl_mceliece460896f 524160 13608 188 32 mceliece460896f
pqsl_mceliece6688128f 1044992 13932 240 32 mceliece6688128f
pqsl_mceliece6960119f 1047319 13948 226 32 mceliece6960119f
pqsl_mceliece8192128f 1357824 14120 240 32 mceliece8192128f

SIKE (kem)

Isogeny-based Key Establishment. NIST PQC Round 3 (Alternative).

Library ID PK SK CT SS (Variant)
pqsl_sikep434 330 374 346 16 SIKEp434
pqsl_sikep503 378 434 402 24 SIKEp503
pqsl_sikep610 462 524 486 24 SIKEp610
pqsl_sikep751 564 644 596 32 SIKEp751
pqsl_sikep610c 274 491 336 24 SIKEp610 Compressed
pqsl_sikep434c 197 350 236 16 SIKEp434 Compressed
pqsl_sikep503c 225 407 280 24 SIKEp503 Compressed
pqsl_sikep751c 335 602 410 32 SIKEp751 Compressed

FrodoKEM (kem)

Lattice-based Key Establishment. NIST PQC Round 3 (Alternative).

Library ID PK SK CT SS (Variant)
pqsl_frodokem640a 9616 19888 9720 16 FrodoKEM-640-AES
pqsl_frodokem640s 9616 19888 9720 16 FrodoKEM-640-SHAKE
pqsl_frodokem976a 15632 31296 15744 24 FrodoKEM-976-AES
pqsl_frodokem976s 15632 31296 15744 24 FrodoKEM-976-SHAKE
pqsl_frodokem1344a 21520 43088 21632 32 FrodoKEM-1344-AES
pqsl_frodokem1344s 21520 43088 21632 32 FrodoKEM-1344-SHAKE

CRYSTALS-DILITHIUM (sign)

Lattice-based Signature Scheme. NIST PQC Round 3 (Finalist).

Library ID PK SK Sig (Variant)
pqsl_dilithium2 1312 2544 2420 Dilithium2
pqsl_dilithium3 1952 4016 3293 Dilithium3
pqsl_dilithium5 2592 4880 4595 Dilithium5
pqsl_dilithium2_r 1312 2544 2420 Dilithium2-R
pqsl_dilithium3_r 1952 4016 3293 Dilithium3-R
pqsl_dilithium5_r 2592 4880 4595 Dilithium5-R
pqsl_dilithium2_aes 1312 2544 2420 Dilithium2-AES
pqsl_dilithium3_aes 1952 4016 3293 Dilithium3-AES
pqsl_dilithium5_aes 2592 4880 4595 Dilithium5-AES
pqsl_dilithium2_aes_r 1312 2544 2420 Dilithium2-AES-R
pqsl_dilithium3_aes_r 1952 4016 3293 Dilithium3-AES-R
pqsl_dilithium5_aes_r 2592 4880 4595 Dilithium5-AES-R

FALCON (sign)

Lattice-based Signature Scheme. NIST PQC Round 3 (Finalist).

Library ID PK SK Sig (Variant)
pqsl_falcon512 897 1281 690 Falcon-512
pqsl_falcon1024 1793 2305 1330 Falcon-1024
pqsl_falcon512f 897 1281 690 Falcon-512 (“FIPS”)
pqsl_falcon1024f 1793 2305 1330 Falcon-1024 (“FIPS”)

RAINBOW (sign)

Multivariate Signature Scheme. NIST PQC Round 3 (Finalist).

Library ID PK SK Sig (Variant)
pqsl_rainbow1aci 60192 103648 66 (16,36,32,32)-circumzenithal
pqsl_rainbow1acl 161600 103648 66 (16,36,32,32)-classic
pqsl_rainbow1aco 60192 64 66 (16,36,32,32)-compressed
pqsl_rainbow3cci 264608 626048 164 (256,68,32,48)-circumzenithal
pqsl_rainbow3ccl 882080 626048 164 (256,68,32,48)-classic
pqsl_rainbow3cco 264608 64 164 (256,68,32,48)-compressed
pqsl_rainbow5cci 536136 1408736 212 (256,96,36,64)-circumzenithal
pqsl_rainbow5ccl 1930600 1408736 212 (256,96,36,64)-classic
pqsl_rainbow5cco 536136 64 212 (256,96,36,64)-compressed

SPHINCS+ (sign)

Hash-based Signature Scheme. NIST PQC Round 3 (Alternative).

Library ID PK SK Sig (Variant)
pqsl_spx_har128f_r 32 64 17088 haraka-128f-robust
pqsl_spx_har128f_s 32 64 17088 haraka-128f-simple
pqsl_spx_har128s_r 32 64 7856 haraka-128s-robust
pqsl_spx_har128s_s 32 64 7856 haraka-128s-simple
pqsl_spx_har192f_r 48 96 35664 haraka-192f-robust
pqsl_spx_har192f_s 48 96 35664 haraka-192f-simple
pqsl_spx_har192s_r 48 96 16224 haraka-192s-robust
pqsl_spx_har192s_s 48 96 16224 haraka-192s-simple
pqsl_spx_har256f_r 64 128 49856 haraka-256f-robust
pqsl_spx_har256f_s 64 128 49856 haraka-256f-simple
pqsl_spx_har256s_r 64 128 29792 haraka-256s-robust
pqsl_spx_har256s_s 64 128 29792 haraka-256s-simple
pqsl_spx_sha128f_r 32 64 17088 sha256-128f-robust
pqsl_spx_sha128f_s 32 64 17088 sha256-128f-simple
pqsl_spx_sha128s_r 32 64 7856 sha256-128s-robust
pqsl_spx_sha128s_s 32 64 7856 sha256-128s-simple
pqsl_spx_sha192f_r 48 96 35664 sha256-192f-robust
pqsl_spx_sha192f_s 48 96 35664 sha256-192f-simple
pqsl_spx_sha192s_r 48 96 16224 sha256-192s-robust
pqsl_spx_sha192s_s 48 96 16224 sha256-192s-simple
pqsl_spx_sha256f_r 64 128 49856 sha256-256f-robust
pqsl_spx_sha256f_s 64 128 49856 sha256-256f-simple
pqsl_spx_sha256s_r 64 128 29792 sha256-256s-robust
pqsl_spx_sha256s_s 64 128 29792 sha256-256s-simple
pqsl_spx_xof128f_r 32 64 17088 shake256-128f-robust
pqsl_spx_xof128f_s 32 64 17088 shake256-128f-simple
pqsl_spx_xof128s_r 32 64 7856 shake256-128s-robust
pqsl_spx_xof128s_s 32 64 7856 shake256-128s-simple
pqsl_spx_xof192f_r 48 96 35664 shake256-192f-robust
pqsl_spx_xof192f_s 48 96 35664 shake256-192f-simple
pqsl_spx_xof192s_r 48 96 16224 shake256-192s-robust
pqsl_spx_xof192s_s 48 96 16224 shake256-192s-simple
pqsl_spx_xof256f_r 64 128 49856 shake256-256f-robust
pqsl_spx_xof256f_s 64 128 49856 shake256-256f-simple
pqsl_spx_xof256s_r 64 128 29792 shake256-256s-robust
pqsl_spx_xof256s_s 64 128 29792 shake256-256s-simple

Is this Quantum Computing?

No. You don’t need a quantum computer or a quantum-secure physical link to run a quantum-secure algorithm, and in most cases, you really don’t want to.

Post-quantum Cryptography (PQC) is a design upgrade on cryptographic standards where the threat of quantum computers has been taken into account. Technologies such as Quantum Key Distribution (QKD) are currently limited to physically protecting information in communication wires. QKD can’t provide the cybersecurity functionality of PQC: digital signatures, authentication and identity, public-key encryption, and key exchange in applications such as TLS or IPSec. QKD can’t be utilized with existing networks or wireless links, but PQC is readily deployable over WiFi and 5G.

The U.K. National Cyber Security Centre (NCSC) uses the term “Quantum Safe Cryptography” (QSC) specifically to refer to Post-Quantum Cryptography (PQC) and recommends against QKD in their Quantum security technologies advisory:

NCSC advice is that the best mitigation against the threat of quantum computers is quantum-safe cryptography.

The U.S. National Security Agency (NSA) Cybersecurity guidance for (Government and Military) National Security Systems shares similar views. For transition timelines to post-quantum cryptography, see NSA’s Post-Quantum Cybersecurity Resources page.

Atom