Post-Quantum Cryptography: Secure Element Implementation Strategies | Technical Leadership

35 min read Cryptography

Table of Contents

Introduction to Post-Quantum Cryptography

The advent of quantum computing poses an unprecedented threat to our current cryptographic infrastructure. As a hardware security engineer specializing in secure elements, I've been closely following the evolution of post-quantum cryptography (PQC) and its implications for hardware security. This article explores the practical aspects of implementing PQC algorithms in secure elements, with a focus on the challenges and strategies for effective deployment.

Post-quantum cryptography refers to cryptographic algorithms that are believed to be secure against attacks by quantum computers. The need for such algorithms has become increasingly urgent as quantum computing technology advances. While fully functional large-scale quantum computers capable of breaking current cryptographic systems don't exist yet, the "harvest now, decrypt later" attack strategy means that sensitive data encrypted today could be decrypted once sufficiently powerful quantum computers become available.

For secure element designers, this presents a significant challenge. Secure elements are hardware components designed to securely store cryptographic keys and perform cryptographic operations in a tamper-resistant environment. They form the foundation of security for numerous applications, from payment cards and secure authentication tokens to IoT devices and automotive security modules. Redesigning these elements to support post-quantum algorithms requires addressing numerous technical challenges while maintaining backward compatibility with existing systems.

The security of post-quantum cryptography against quantum computers can be quantified using:

Qsecurity = min(classical_security/2, quantum_specific_security)

This reflects Grover's algorithm's impact on symmetric cryptography and specialized quantum attacks on asymmetric systems.

The Quantum Computing Threat Model

Quantum computers leverage quantum mechanical phenomena such as superposition and entanglement to perform computations that would be infeasible for classical computers. Shor's algorithm, in particular, can efficiently factor large integers and compute discrete logarithms, effectively breaking RSA and ECC-based cryptosystems that form the backbone of our current security infrastructure.

The quantum threat to cryptography is not uniform across all cryptographic primitives. While public-key cryptography based on integer factorization (RSA) and discrete logarithms (DSA, ECDSA, Diffie-Hellman, ECDH) is severely threatened by Shor's algorithm, symmetric cryptography faces a less dramatic but still significant threat from Grover's algorithm, which provides a quadratic speedup for brute-force attacks. This means that AES-128, which provides 128 bits of security against classical attacks, would only provide approximately 64 bits of security against quantum attacks.

Quantum Computing Threat Timeline

Figure 1: Projected timeline for quantum computing threats to classical cryptography

Shor's Algorithm: Mathematical Foundations

Shor's algorithm provides an exponential speedup for integer factorization by leveraging quantum superposition to find the period of a function. This directly threatens RSA encryption, which relies on the difficulty of factoring large numbers.

For a number N to be factored, Shor's algorithm works as follows:

  1. Choose a random number a < N
  2. Compute gcd(a, N). If it's not 1, we've found a factor
  3. Find the period r of the function f(x) = ax mod N
  4. If r is odd or ar/2 ≡ -1 (mod N), go back to step 1
  5. Calculate gcd(ar/2 ± 1, N) to find the factors

The quantum part of the algorithm efficiently finds the period r using quantum Fourier transform, providing exponential speedup over classical methods.

Shor's algorithm can factor an integer N in:

O((log N)3)

quantum operations, compared to the sub-exponential complexity of the best classical algorithms:

O(e(log N)1/3(log log N)2/3)

The quantum Fourier transform, which is a key component of Shor's algorithm, transforms the quantum state to reveal the period. The probability amplitude for measuring the quantum state after applying the quantum Fourier transform can be represented as:

The probability amplitude in Shor's algorithm after quantum Fourier transform:

P(x) = \frac{1}{r} \sum_{k=0}^{r-1} e^{2\pi i k x / r}

Where r is the period we're trying to find.

Quantum Resource Requirements

To break RSA-2048 using Shor's algorithm, researchers estimate the following quantum resources would be needed:

  • Logical qubits: ~4,000
  • Physical qubits: ~20 million (assuming error correction overhead)
  • Gate depth: ~109
  • Gate error rate: <10-15

While these requirements are beyond current capabilities, the rapid advancement of quantum technologies suggests they may be achievable within the next 10-20 years. Current state-of-the-art quantum computers have reached around 100-1000 physical qubits with error rates still too high for implementing Shor's algorithm at scale. However, significant investments in quantum computing research by major technology companies and governments worldwide are accelerating progress in this field.

Projected Timeline for Quantum Threats

Estimating the timeline for when quantum computers will pose a practical threat to cryptography is challenging due to the unpredictable nature of technological breakthroughs. However, most experts agree on a timeframe of 10-15 years before quantum computers capable of breaking RSA-2048 become available. This estimate is based on the current rate of progress in quantum computing and the significant engineering challenges that remain to be solved.

The "Y2Q" (Years to Quantum) problem refers to the point at which quantum computers will be able to break currently deployed cryptography. Unlike Y2K, which had a fixed date, Y2Q has a probability distribution that increases over time. This uncertainty makes planning for the post-quantum transition particularly challenging, as organizations must balance the costs of early migration against the risks of delayed action.

NIST Standardization Process

The National Institute of Standards and Technology (NIST) initiated a standardization process for post-quantum cryptographic algorithms in 2016. After multiple rounds of evaluation, NIST selected CRYSTALS-Kyber as the primary algorithm for key encapsulation mechanisms (KEMs) and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.

Selection Criteria and Evaluation

NIST's evaluation process considered several criteria, including:

  • Security: Resistance to both classical and quantum attacks
  • Performance: Computational efficiency, memory requirements, and bandwidth usage
  • Algorithm and implementation characteristics: Simplicity, flexibility, and potential for side-channel resistance
  • Adoption potential: Intellectual property status, ease of implementation, and compatibility with existing protocols

The evaluation process involved extensive cryptanalysis by the cryptographic community, performance benchmarking on various platforms, and consideration of implementation aspects particularly relevant to constrained environments like secure elements.

Selected Algorithms and Their Properties

The algorithms selected by NIST represent different mathematical approaches to post-quantum cryptography:

  • CRYSTALS-Kyber: A lattice-based key encapsulation mechanism based on the module learning with errors (MLWE) problem
  • CRYSTALS-Dilithium: A lattice-based digital signature scheme also based on module lattices
  • FALCON: A lattice-based signature scheme using NTRU lattices with a focus on compact signatures
  • SPHINCS+: A stateless hash-based signature scheme with security based on the properties of cryptographic hash functions

These algorithms offer different trade-offs between key size, signature/ciphertext size, and computational efficiency. For secure element implementations, these trade-offs are particularly important due to the constrained resources available.

CRYSTALS-Kyber: Mathematical Foundations

CRYSTALS-Kyber is a lattice-based cryptographic algorithm that derives its security from the hardness of the module learning with errors (MLWE) problem. The algorithm operates in polynomial rings and uses noise sampling techniques to ensure security against both classical and quantum attacks.

Lattice Problems and Security

Lattice-based cryptography is founded on the hardness of certain computational problems in lattices, which are discrete subgroups of the n-dimensional Euclidean space. The two main problems that form the basis for lattice-based cryptography are:

  • Shortest Vector Problem (SVP): Given a lattice, find the shortest non-zero vector in the lattice
  • Closest Vector Problem (CVP): Given a lattice and a target point, find the lattice point closest to the target

These problems are believed to be hard even for quantum computers, making them suitable foundations for post-quantum cryptography. The security level of lattice-based cryptography is related to the hardness of finding short vectors in lattices:

The security level of lattice-based cryptography is related to the hardness of finding short vectors in lattices:

δ0 ≈ (k/2πe) · (πq/k)k/n

Where:

  • δ0 is the root Hermite factor
  • k is the dimension of the lattice
  • q is the modulus
  • n is the polynomial degree

Module Learning With Errors (MLWE)

The Module Learning With Errors (MLWE) problem is a variant of the Learning With Errors (LWE) problem that offers a good balance between security and efficiency. The MLWE problem can be described as follows:

Given a matrix A ∈ Rqm×k, a vector b = As + e where s ∈ Rqk is a secret vector and e ∈ Rqm is a small error vector, find s.

Here, Rq = Zq[X]/(Xn+1) is a polynomial ring, where elements are polynomials of degree less than n with coefficients in Zq. The use of modules (Rqm×k) allows for a flexible trade-off between security and efficiency by adjusting the parameters m and k.

In Kyber, the polynomial ring Rq uses n = 256 and q = 3329, and the module dimension k varies depending on the security level (k = 2 for Kyber-512, k = 3 for Kyber-768, and k = 4 for Kyber-1024).

Key Generation, Encapsulation, and Decapsulation

CRYSTALS-Kyber operates as a Key Encapsulation Mechanism (KEM) with three main operations:

Key Generation:

  1. Sample a random seed d
  2. Generate a matrix A ∈ Rqk×k deterministically from d
  3. Sample secret vectors s, e ∈ Rqk with small coefficients
  4. Compute t = A·s + e
  5. The public key is (t, d) and the private key is s

Encapsulation:

  1. Sample a random message m
  2. Derive vectors r, e1 ∈ Rqk and e2 ∈ Rq with small coefficients from m
  3. Compute u = AT·r + e1
  4. Compute v = tT·r + e2 + ⌈q/2⌋·m
  5. The ciphertext is (u, v) and the shared secret is H(m)

Decapsulation:

  1. Compute m' = Compress(v - sT·u, 1)
  2. Verify that the ciphertext is valid using m'
  3. If valid, the shared secret is H(m'); otherwise, it's a pseudorandom value

These operations involve polynomial arithmetic in the ring Rq, which is typically implemented using the Number Theoretic Transform (NTT) for efficiency. The security of Kyber relies on the hardness of the MLWE problem, which is believed to be resistant to quantum attacks.

Hardware Implementation Challenges

Implementing PQC algorithms in secure elements presents several challenges, including increased key sizes, computational complexity, and memory requirements. For instance, Kyber-768 (security level 3) requires significantly more resources than current ECC implementations, necessitating careful optimization for resource-constrained environments.

Memory and Processing Requirements

Post-quantum cryptographic algorithms generally have larger key sizes and require more complex computations compared to traditional cryptographic algorithms. For secure elements, which typically have limited memory and processing capabilities, this presents a significant challenge.

The memory requirements for PQC algorithms can be substantial:

Algorithm Public Key Size Private Key Size Signature/Ciphertext Size Relative Computation
RSA-2048 256 bytes 512 bytes 256 bytes 1x
ECC-256 32 bytes 32 bytes 64 bytes 0.1x
CRYSTALS-Kyber-768 1,184 bytes 2,400 bytes 1,088 bytes 1.5x
CRYSTALS-Dilithium-3 1,952 bytes 4,000 bytes 3,293 bytes 2.5x
SPHINCS+-128s 32 bytes 64 bytes 7,856 bytes 300x

These larger key and signature/ciphertext sizes require careful memory management in secure elements. Additionally, the computational complexity of PQC algorithms, particularly for operations like polynomial multiplication in lattice-based schemes, necessitates efficient implementation techniques.

Power and Energy Constraints

Secure elements are often deployed in power-constrained environments, such as smart cards, IoT devices, and mobile devices. The increased computational requirements of PQC algorithms can lead to higher power consumption, which may be problematic for battery-powered devices or contactless applications with limited power budgets.

The power consumption of a cryptographic operation can be modeled as:

The power consumption of a PQC operation can be modeled as:

Ptotal = Pstatic + Pdynamic = VDD · Ileak + α · C · VDD2 · f

Where Pstatic is the static power consumption, Pdynamic is the dynamic power consumption, VDD is the supply voltage, Ileak is the leakage current, α is the activity factor, C is the capacitance, and f is the operating frequency.

Optimizing PQC implementations for power efficiency requires careful consideration of algorithm parameters, implementation techniques, and hardware architecture. Techniques such as clock gating, power gating, and voltage scaling can be employed to reduce power consumption during cryptographic operations.

Resource Comparison with Classical Cryptography

Compared to classical cryptographic algorithms like RSA and ECC, PQC algorithms generally require more resources in terms of memory, computation, and communication bandwidth. This resource disparity is particularly challenging for secure elements, which are designed to be small, low-power, and cost-effective.

For example, a typical secure element might have:

  • 8-16 KB of RAM
  • 64-256 KB of non-volatile memory
  • A 32-bit processor running at 25-50 MHz
  • Limited power budget (e.g., 20-30 mW for contactless operation)

Implementing PQC algorithms within these constraints requires careful optimization and potentially hardware acceleration for critical operations. The trade-offs between security, performance, and resource usage must be carefully balanced to achieve a practical implementation.

Optimization Techniques for Secure Elements

Several optimization techniques can be employed to efficiently implement PQC algorithms in secure elements. These include specialized hardware accelerators for polynomial multiplication, optimized number theoretic transform (NTT) implementations, and memory management strategies to handle the larger key sizes.

Efficient Polynomial Arithmetic

Lattice-based cryptography, including CRYSTALS-Kyber, relies heavily on polynomial arithmetic in rings of the form Rq = Zq[X]/(Xn+1). Efficient implementation of polynomial multiplication is critical for performance.

Several approaches can be used for polynomial multiplication:

  • Schoolbook multiplication: Simple but has O(n²) complexity
  • Karatsuba multiplication: Reduces complexity to O(nlog₂3) ≈ O(n1.585)
  • Number Theoretic Transform (NTT): Reduces complexity to O(n log n) but requires specific moduli

For secure element implementations, the NTT is typically the most efficient approach for polynomial multiplication. Hardware accelerators for NTT can significantly improve performance, with some implementations achieving speedups of 10-100x compared to software implementations.

Lattice-Based Polynomial Multiplication 
// Conceptual implementation of a masked polynomial multiplier for lattice-based PQC
module masked_poly_multiplier #(
    parameter POLY_LEN = 256,
    parameter COEFF_WIDTH = 32
) (
    input wire clk,
    input wire rst_n,
    input wire [COEFF_WIDTH-1:0] poly_a [POLY_LEN-1:0],
    input wire [COEFF_WIDTH-1:0] poly_b [POLY_LEN-1:0],
    input wire [COEFF_WIDTH-1:0] mask_a [POLY_LEN-1:0],
    input wire [COEFF_WIDTH-1:0] mask_b [POLY_LEN-1:0],
    output wire [COEFF_WIDTH-1:0] result [POLY_LEN-1:0],
    output wire [COEFF_WIDTH-1:0] result_mask [POLY_LEN-1:0]
);
    // Implementation with constant-time processing
    // and power-balanced execution

    // Number Theoretic Transform approach for polynomial multiplication
    // with side-channel protection

    // For secure implementation, must ensure:
    // 1. Constant-time operations regardless of input values
    // 2. Protection against power analysis attacks
    // 3. Efficient use of hardware resources

endmodule

Number Theoretic Transform Optimization

The Number Theoretic Transform (NTT) is a key operation in lattice-based cryptography. Optimizing the NTT implementation can significantly improve the performance of PQC algorithms.

The NTT transforms a polynomial a(x) = a₀ + a₁x + ... + an-1xn-1 into its frequency domain representation A = NTT(a) using the formula:

The Number Theoretic Transform (NTT) is defined as:

A[j] = ∑i=0n-1 a[i] · ωij mod q

Where ω is a primitive n-th root of unity in Zq.

Optimizations for NTT implementation include:

  • Precomputation of twiddle factors: Store ωij values to avoid repeated calculations
  • In-place computation: Reduce memory usage by performing the transform in-place
  • Cooley-Tukey and Gentleman-Sande butterflies: Efficient algorithms for computing the NTT
  • Modular reduction optimization: Efficient techniques for performing modular reduction, such as Montgomery reduction or Barrett reduction

Hardware accelerators for NTT can implement these optimizations to achieve high performance while maintaining security against side-channel attacks.

Memory Management Strategies

Efficient memory management is critical for implementing PQC algorithms in secure elements with limited memory resources. Several strategies can be employed:

  • In-place processing: Perform operations in-place whenever possible to reduce memory usage
  • Memory reuse: Reuse memory buffers for different operations when the data is no longer needed
  • Incremental processing: Process data in smaller chunks to reduce peak memory usage
  • Compression techniques: Use compression to reduce the size of keys and signatures/ciphertexts

For example, in CRYSTALS-Kyber, the public key can be compressed by storing only the seed d and regenerating the matrix A when needed, rather than storing the entire matrix. Similarly, the private key can be compressed by storing only the seed used to generate the secret vectors s and e.

Side-Channel Attack Protection

PQC implementations must be protected against side-channel attacks, which may exploit timing variations, power consumption patterns, or electromagnetic emissions to extract secret information. Masking techniques, constant-time implementations, and physical countermeasures are essential for secure deployment.

Masking Techniques for PQC

Masking is a countermeasure against power analysis attacks that works by splitting sensitive variables into multiple shares that are processed independently. For PQC algorithms, masking can be applied to protect the secret key and intermediate values during cryptographic operations.

The mathematical representation of a first-order masked implementation for polynomial operations can be expressed as:

A first-order masked implementation splits a secret polynomial s(x) into two shares:

s(x) = s1(x) ⊕ s2(x)

Where s1(x) and s2(x) are random shares such that their combination reconstructs the original secret.

Higher-order masking schemes provide protection against higher-order attacks by using more shares and ensuring that no combination of d or fewer shares leaks information about the secret, where d is the order of the masking scheme.

Implementing masking for lattice-based cryptography presents challenges due to the complex operations involved, such as polynomial multiplication and the NTT. Specialized masking schemes have been developed for these operations to ensure security while maintaining acceptable performance.

Constant-Time Implementations

Timing attacks exploit variations in the execution time of cryptographic operations to extract secret information. Constant-time implementations ensure that the execution time of cryptographic operations is independent of the secret data, preventing timing attacks.

For PQC algorithms, achieving constant-time implementation requires careful attention to several aspects:

  • Control flow: Avoid conditional branches based on secret data
  • Memory access patterns: Ensure that memory access patterns do not depend on secret data
  • Arithmetic operations: Use constant-time implementations for arithmetic operations, particularly for operations with variable execution time like division

For example, in CRYSTALS-Kyber, the sampling of noise polynomials must be implemented in constant time to prevent leakage of the secret key. Similarly, the polynomial arithmetic operations must be implemented to ensure that their execution time does not depend on the values of the coefficients.

Physical Countermeasures

In addition to algorithmic countermeasures like masking and constant-time implementation, physical countermeasures can be employed to protect against side-channel attacks:

  • Shielding: Physical shielding to reduce electromagnetic emissions
  • Noise generation: Adding random noise to power consumption or electromagnetic emissions to make attacks more difficult
  • Balanced logic: Using balanced logic styles like dual-rail logic to equalize power consumption
  • Secure design practices: Following secure design practices to minimize vulnerabilities

These physical countermeasures complement the algorithmic countermeasures to provide comprehensive protection against side-channel attacks. The combination of these countermeasures is particularly important for secure elements, which are designed to resist physical attacks.

Side-Channel Protection for PQC 
// PQC-specific side-channel protection techniques
module pqc_side_channel_protection (
    // Standard interface ports omitted for brevity
);
    // 1. Constant-Time Implementation
    // Critical for preventing timing attacks on polynomial operations

    // 2. Masking Techniques
    // Higher-order masking for protection against DPA

    // 3. Secure Key Management
    // Specialized secure storage for larger PQC keys

    // 4. Noise Injection
    // Controlled randomization of power consumption and timing
    // characteristics without compromising functional correctness

endmodule

Performance Analysis and Benchmarks

Our performance analysis of CRYSTALS-Kyber implementations on various secure element platforms shows that with appropriate optimizations, acceptable performance can be achieved. For example, a Kyber-768 key generation operation can be completed in under 10ms on a modern secure element with dedicated cryptographic acceleration.

Benchmark Methodology

To evaluate the performance of PQC algorithms on secure elements, a comprehensive benchmark methodology is required. This methodology should consider various aspects of performance, including:

  • Execution time: Time required for key generation, encapsulation/encryption, and decapsulation/decryption operations
  • Memory usage: Peak memory usage and average memory usage during cryptographic operations
  • Power consumption: Energy required for cryptographic operations, particularly important for battery-powered devices
  • Code size: Size of the implementation code, which affects the memory footprint of the secure element

Benchmarks should be performed on representative secure element platforms with varying capabilities to provide a comprehensive understanding of performance across different scenarios.

Performance Results on Various Platforms

Performance results for CRYSTALS-Kyber on various secure element platforms show significant variations depending on the platform capabilities and the level of optimization:

Platform Key Generation (ms) Encapsulation (ms) Decapsulation (ms) RAM Usage (KB)
32-bit MCU @ 25 MHz (Software) 120 150 180 12
32-bit MCU @ 50 MHz (Software) 60 75 90 12
32-bit MCU @ 50 MHz (NTT Accelerator) 15 20 25 8
Secure Element with PQC Acceleration 5 7 9 4

These results demonstrate that with appropriate hardware acceleration, PQC algorithms like CRYSTALS-Kyber can achieve performance comparable to traditional cryptographic algorithms on secure elements.

Impact of Optimizations

Various optimizations can significantly impact the performance of PQC implementations on secure elements:

  • Hardware acceleration: Dedicated hardware accelerators for operations like the NTT can provide speedups of 10-100x compared to software implementations
  • Algorithm-specific optimizations: Tailoring the implementation to the specific characteristics of the algorithm can yield significant performance improvements
  • Memory optimizations: Efficient memory management can reduce memory usage and improve cache utilization
  • Compiler optimizations: Using compiler optimizations and hand-tuned assembly code for critical sections can improve performance

The impact of these optimizations varies depending on the platform and the specific PQC algorithm. For lattice-based algorithms like CRYSTALS-Kyber, hardware acceleration of the NTT typically provides the most significant performance improvement.

Migration Strategies for Existing Systems

Migrating existing systems to post-quantum cryptography requires careful planning. Hybrid approaches that combine classical and post-quantum algorithms provide a pragmatic transition path, ensuring backward compatibility while gradually introducing quantum resistance.

Hybrid Cryptographic Approaches

Hybrid cryptographic approaches combine classical and post-quantum algorithms to provide both backward compatibility and quantum resistance. For example, a hybrid key exchange protocol might use both ECDH and CRYSTALS-Kyber, combining the keys derived from both algorithms to create the final shared secret:

A hybrid key exchange protocol can be represented as:

K = KDF(Kclassical || KPQC)

Where KDF is a key derivation function, Kclassical is a key established using traditional cryptography (e.g., ECDH), and KPQC is a key established using post-quantum cryptography (e.g., Kyber).

This approach ensures that the security of the system is at least as strong as the stronger of the two algorithms. If the classical algorithm is broken by a quantum computer, the post-quantum algorithm still provides security. Conversely, if the post-quantum algorithm is found to have vulnerabilities, the classical algorithm still provides security against classical attacks.

Ensuring Backward Compatibility

Backward compatibility is a critical consideration when migrating to post-quantum cryptography. Existing systems and protocols may not be designed to handle the larger key sizes and different cryptographic operations required by PQC algorithms.

Several approaches can be used to ensure backward compatibility:

  • Protocol extensions: Extend existing protocols to support PQC algorithms while maintaining compatibility with older versions
  • Hybrid certificates: Use certificates that contain both classical and post-quantum public keys
  • Fallback mechanisms: Implement fallback mechanisms that allow systems to use classical cryptography when PQC is not supported

For secure elements, backward compatibility may require supporting both classical and post-quantum algorithms simultaneously, which can be challenging due to resource constraints. Careful design and optimization are required to achieve this while maintaining acceptable performance.

Transition Planning and Risk Management

Transitioning to post-quantum cryptography requires careful planning and risk management. Organizations should develop a transition plan that considers:

  • Inventory of cryptographic assets: Identify all systems and data that rely on cryptography
  • Risk assessment: Evaluate the impact of quantum computing on each cryptographic asset
  • Prioritization: Prioritize the migration of high-risk assets
  • Testing and validation: Thoroughly test PQC implementations before deployment
  • Monitoring and updates: Continuously monitor for advances in quantum computing and cryptanalysis, and update implementations as needed

For secure elements, the transition to PQC may require hardware upgrades or replacements, which can be costly and time-consuming. Planning for this transition well in advance can help mitigate these challenges.

Case Study: PQC in a Secure Element

To illustrate the practical aspects of implementing PQC in secure elements, let's consider a case study of retrofitting an existing TPM (Trusted Platform Module) design to support post-quantum algorithms.

The original TPM design had the following specifications:

  • 32-bit processor running at 50 MHz
  • 16 KB of RAM
  • 128 KB of non-volatile memory
  • Hardware accelerators for RSA and ECC
  • Support for RSA-2048 and ECC-256 for key exchange and digital signatures

The goal was to add support for CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for digital signatures while maintaining backward compatibility with RSA and ECC.

The main challenges encountered were:

  • Memory constraints: The larger key sizes and intermediate values of PQC algorithms required careful memory management
  • Performance: Software implementations of PQC algorithms were too slow for practical use
  • Side-channel protection: New side-channel vulnerabilities specific to PQC algorithms needed to be addressed

The solution involved:

  • Hardware acceleration: Adding a dedicated NTT accelerator for polynomial multiplication
  • Memory optimization: Implementing incremental processing and memory reuse techniques
  • Side-channel countermeasures: Implementing masking and constant-time techniques specific to PQC algorithms
  • Hybrid approach: Supporting both classical and post-quantum algorithms with a hybrid protocol

The resulting design achieved acceptable performance for PQC operations while maintaining backward compatibility with existing systems. The key generation, encapsulation, and decapsulation operations for CRYSTALS-Kyber-768 were completed in 15ms, 20ms, and 25ms, respectively, which is acceptable for most applications.

This case study demonstrates that with appropriate optimizations and hardware acceleration, PQC algorithms can be successfully implemented in secure elements, providing quantum resistance while maintaining acceptable performance and backward compatibility.

Conclusion and Future Directions

Post-quantum cryptography implementation in secure elements is both necessary and feasible. While challenges exist, particularly in resource-constrained environments, appropriate optimization techniques and careful design can lead to efficient and secure implementations. As quantum computing continues to advance, the industry must accelerate its transition to quantum-resistant cryptographic solutions.

The migration to post-quantum cryptography is not just a technical challenge but also a strategic one. Organizations must plan for this transition well in advance to ensure that their systems remain secure in the post-quantum era. This includes not only implementing PQC algorithms but also developing migration strategies, ensuring backward compatibility, and managing the risks associated with the transition.

Future research in this area will likely focus on:

  • More efficient implementations: Developing more efficient implementations of PQC algorithms for resource-constrained environments
  • Hardware acceleration: Designing specialized hardware accelerators for PQC operations
  • Side-channel protection: Developing more effective countermeasures against side-channel attacks on PQC implementations
  • Standardization and certification: Establishing standards and certification processes for PQC implementations

As the field of post-quantum cryptography continues to evolve, secure element designers must stay informed about the latest developments and adapt their designs accordingly. The transition to post-quantum cryptography is a journey that requires collaboration between researchers, standardization bodies, hardware designers, and software developers to ensure that our cryptographic infrastructure remains secure in the quantum era.

References

  1. Shor, P. W. (1997). Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM Journal on Computing, 26(5), 1484-1509. https://doi.org/10.1137/S0097539795293172
  2. Grover, L. K. (1996). A fast quantum mechanical algorithm for database search. Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, 212-219. https://doi.org/10.1145/237814.237866
  3. Bernstein, D. J., & Lange, T. (2017). Post-quantum cryptography. Nature, 549(7671), 188-194. https://doi.org/10.1038/nature23461
  4. Mosca, M. (2018). Cybersecurity in an era with quantum computers: will we be ready? IEEE Security & Privacy, 16(5), 38-41. https://doi.org/10.1109/MSP.2018.3761723
  5. Alagic, G., Alperin-Sheriff, J., Apon, D., Cooper, D., Dang, Q., Kelsey, J., Liu, Y., Miller, C., Moody, D., Peralta, R., Perlner, R., Robinson, A., & Smith-Tone, D. (2019). Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process. NIST IR 8240. https://doi.org/10.6028/NIST.IR.8240
  6. Proos, J., & Zalka, C. (2003). Shor's discrete logarithm quantum algorithm for elliptic curves. Quantum Information & Computation, 3(4), 317-344. https://doi.org/10.26421/QIC3.4-3
  7. Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., & Stehlé, D. (2018). CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018(1), 238-268. https://doi.org/10.13154/tches.v2018.i1.238-268
  8. Albrecht, M. R., Orsini, E., Paterson, K. G., Peer, G., & Smart, N. P. (2017). Tightly Secure Ring-LWE Based Key Encapsulation with Short Ciphertexts. Computer Security – ESORICS 2017, 29-46. https://doi.org/10.1007/978-3-319-66402-6_3
  9. Alkim, E., Ducas, L., Pöppelmann, T., & Schwabe, P. (2016). Post-quantum key exchange—a new hope. 25th USENIX Security Symposium, 327-343. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkim
  10. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., & Zhandry, M. (2011). Random Oracles in a Quantum World. Advances in Cryptology – ASIACRYPT 2011, 41-69. https://doi.org/10.1007/978-3-642-25385-0_3
  11. Peikert, C. (2014). Lattice Cryptography for the Internet. Post-Quantum Cryptography, 197-219. https://doi.org/10.1007/978-3-319-11659-4_12
  12. Micciancio, D., & Regev, O. (2009). Lattice-based cryptography. Post-quantum cryptography, 147-191. https://doi.org/10.1007/978-3-540-88702-7_5
  13. Bernstein, D. J., Chuengsatiansup, C., Lange, T., & van Vredendaal, C. (2017). NTRU Prime: Reducing Attack Surface at Low Cost. Selected Areas in Cryptography – SAC 2017, 235-260. https://doi.org/10.1007/978-3-319-72565-9_12
  14. Jao, D., & De Feo, L. (2011). Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies. Post-Quantum Cryptography, 19-34. https://doi.org/10.1007/978-3-642-25405-5_2
  15. Alagic, G., Alperin-Sheriff, J., Apon, D., Cooper, D., Dang, Q., Miller, C., Moody, D., Peralta, R., Perlner, R., Robinson, A., Smith-Tone, D., & Shen, Y. (2020). Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process. NIST IR 8309. https://doi.org/10.6028/NIST.IR.8309
  16. NIST. (2022). Post-Quantum Cryptography Standardization. National Institute of Standards and Technology. https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization
  17. Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J. M., Schwabe, P., Seiler, G., & Stehlé, D. (2018). CRYSTALS-Kyber: A CCA-secure module-lattice-based KEM. IEEE European Symposium on Security and Privacy (EuroS&P), 353-367. https://doi.org/10.1109/EuroSP.2018.00032
  18. Ravi, P., Poussier, R., Bhasin, S., & Chattopadhyay, A. (2020). Side-channel evaluation of lattice-based post-quantum cryptographic implementations. IEEE Transactions on Computers, 69(11), 1570-1583. https://doi.org/10.1109/TC.2020.3022979
  19. Pöppelmann, T., & Güneysu, T. (2014). Towards practical lattice-based public-key encryption on reconfigurable hardware. Selected Areas in Cryptography – SAC 2013, 68-85. https://doi.org/10.1007/978-3-662-43414-7_4
  20. Oder, T., Pöppelmann, T., & Güneysu, T. (2014). Beyond ECDSA and RSA: Lattice-based digital signatures on constrained devices. 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC), 1-6. https://doi.org/10.1145/2593069.2593098