Secure Implementation of Post-Quantum Cryptography for Embedded Systems

This white paper focuses on the challenges and practical considerations of adopting PQC in hardware for resource-constrained embedded and IoT devices. While PQC adoption is accelerating in the software domain – evident from early integrations by companies like Apple, Google, and Signal – hardware adoption lags behind due to constraints such as processing limitations, power budgets, cost sensitivity, and rigid regulatory standards. Embedded systems are particularly exposed, as their cryptographic vulnerabilities often arise from flawed implementations rather than algorithm weaknesses.

To ensure readiness for the post-quantum era, several major organizations have initiated standardization efforts. The NIST PQC competition, launched in 2016, selected four algorithms in 2022: ML-KEM (Kyber) for key encapsulation, and three digital signature schemes – ML-DSA (Dilithium), SLH-DSA (SPHINCS+), and FN-DSA (Falcon). In 2024, NIST concluded a fourth round of evaluation to diversify its KEM selection, ultimately choosing HQC, a code-based scheme, to complement the lattice-based Kyber. Meanwhile, China’s CACR and South Korea’s KpqC competitions have added to the global knowledge base, showcasing regional algorithm development and evaluation. The NSA’s CNSA 2.0 suite also provides U.S. national guidance, recommending specific PQC algorithms for firmware, software signing, and public key encryption.

The document provides an in-depth comparison of PQC algorithm types – including lattice-based, code-based, and hash-based cryptography – and assesses their practical performance and memory impact, particularly in constrained environments. It highlights that while mature options like FrodoKEM and Classic McEliece offer strong security, their large key sizes make them impractical for embedded systems. In contrast, ML-KEM strikes a balance between performance and footprint. Algorithms like HQC and SMAUG-T offer advantages in storage-constrained scenarios due to their smaller secret key sizes.

Implementation security is a major theme. The paper warns that even standardized PQC algorithms like CRYSTALS-Kyber and Dilithium have been shown to be vulnerable to side-channel and fault injection attacks if implemented carelessly. To defend against these risks, the paper recommends layered strategies involving secure coding, attack mitigations, secure key management, and formal verification.