Special Issue on Post-Quantum Cryptography for Embedded Systems

In 2014, the National Institute of Standards and Technology (NIST) suggested that a quantum computer capable of breaking RSA could be built by 2030. The National Security Agency (NSA) warned in 2015 that progress in quantum computing had reached a point at which organizations should start deploying encryption algorithms designed to withstand attacks performed on quantum computers.

Post-quantum cryptography refers to cryptographic algorithms that are resistant to attacks by quantum computers. To ensure a smooth transition from current cryptographic asymmetric algorithms to post-quantum algorithms, two key aspects shall be considered: implementation security and performance. This is particularly important for constrained devices, such as embedded and IoT devices, in various application domains, including industrial networks, critical infrastructures, banking, health, transportation, and many others. This motivates an urgent need for evaluating post-quantum cryptographic implementations on embedded systems for physical security and performance, including the integration of such implementations in current protocols and systems.

This special issue brings together original manuscripts that explore the latest developments in implementing secure and efficient post-quantum cryptographic algorithms for embedded and IoT applications. After undergoing a comprehensive and rigorous review, nine papers have been selected to be featured in this special issue. The following is a brief summary of the papers included in this issue.

The article titled “Side-Channel Analysis of Lattice-Based Post-Quantum Cryptography: Exploiting Polynomial Multiplication” [1] presents side-channel analysis methodologies targeting all polynomial multiplications of all lattice-based post-quantum key encapsulation mechanisms in the final round of the NIST post-quantum standardization procedure. The article presents practical experiments on real side-channel measurements demonstrating that the proposed methods allow one to extract the secret key from all lattice-based post-quantum key encapsulation mechanisms. Furthermore, the analysis shows that the used polynomial multiplication strategy can significantly impact the time complexity of the attack.

The article titled “MemFHE: End-to-End Computing with Fully Homomorphic Encryption in Memory” [2] presents MemFHE, a first HW accelerator that supports both client and server functionalities for the latest homomorphic encryption schemes based on Ring-GSW. This accelerator utilizes Processing In Memory (PIM) technology. The authors thoroughly evaluate MemFHE across different security levels and compare its performance against state-of-the-art CPU implementations for Ring-GSW–based Fully Homomorphic Encryption (FHE). MemFHE achieves speeds up to 20,000 times faster than CPU implementations and 265 times faster than GPU implementations for FHE arithmetic operations.

The article titled “Agile Acceleration of Stateful Hash-Based Signatures in Hardware” [3] presents the first agile hardware implementation that supports both LMS and XMSS hash-based signature schemes. The design can instantiate either LMS, XMSS, or both schemes using a simple configuration setting. Leveraging the vast similarities of the two schemes, the hardware utilization of the agile design increases by 20% in LUTs and only 3% in Flip Flops (FFs) over a standalone XMSS implementation. The approach showcased in the article offers the flexibility to configure an arbitrary number of hash cores and accelerators for one-time signatures, catering to various application scenarios. The article delves into the exploration of potential tradeoffs within the design space and provides a comparative analysis against previous works in the field.

The article titled “Post-Quantum Signatures on RISC-V with Hardware Acceleration” [4] presents a RISC-V HW/SW codesign for CRYSTALS-Dilithium and Falcon aiming at combining the advantages of SW and HW implementations, i.e., flexibility and performance. It is optimized for CRYSTALS-Dilithium as a generic signature scheme but also accelerates applications that require fast verification of Falcon's compact signatures. In addition to that, the article presents a compact Globalfoundries 22-nm ASIC design that runs at 800 MHz. By using hardware acceleration, energy consumption for CRYSTALS-Dilithium is reduced by up to 92.2%, and up to 67.5% for Falcon's signature verification.

The article titled “Cryptographic Engineering a Fast and Efficient SIKE in FPGA” [5] introduces new SIKE speed records using less resources than the state-of-the-art. This approach entails designing and optimizing a new field multiplier, a SIKE-optimized Keccak unit, and a high-level controller. On a Xilinx Virtex-7 FPGA, the presented architecture performs the NIST Level 1 SIKE scheme key encapsulation and key decapsulation functions in 2.23 and 2.39 ms, respectively. The combined key encapsulation and decapsulation time is 4.62 ms, which outperforms the next best Virtex-7 implementation by nearly 2 ms.

The article titled “Analysis of EM Fault Injection on Bit-sliced Number Theoretic Transform Software in Dilithium” [6] presents a bitslice implementation of a fault countermeasure for the number-theoretic transform (NTT) on an advanced 667 MHz ARM Cortex-A9 processor and study the fault coverage for the protected NTT under optimized electromagnetic fault injection (EMFI).

The article titled “A Configurable CRYSTALS-Kyber Hardware Implementation with Side-Channel Protection” [7] introduces a flexible and secure implementation of the CRYSTALS-Kyber KEM algorithm. The implementation allows for customization based on specific performance and area requirements, offering different tradeoffs for various applications. To enhance readability, a range of innovative and well-established techniques have been carefully utilized to ensure side-channel resistance. These include Fault Detection Hashes, Instruction Randomization, and FSM Protection. Despite the implementation of these security measures, the impact on performance remains minimal, with less than a 5% decrease, while still maintaining a high level of configurability.

The article titled “Towards Next Generation Quantum-Safe eIDs and eMRTDs—A Survey” [8] reviews the state of currently used crypto-systems for eCard security, as well as their possible quantum-secure replacements, by identifying and categorizing respective challenges, presenting and assessing existing approaches for their solution, and formulating research questions for open issues. By providing an overview of the situation, the article paves the way toward quantum-safe electronic Identity Documents (eIDs) and electronic Machine-Readable Travel Documents (eMRTDs).

Finally, the article titled “Side-channel and Fault-injection Attacks over Lattice-based Post-quantum Schemes (Kyber, Dilithium)” [9] presents a systematic study of side-channel and fault attacks on structured lattice-based schemes, with a focus on Kyber KEM and Dilithium signature scheme, which are leading candidates in the NIST standardization process for PQC.

The guest editors would like to express their gratitude to all the authors who made significant contributions to this special issue, as well as the reviewers for their timely and constructive feedback. We are also grateful to the Editor-in-Chief, Tulika Mitra, for her support and to the ACM Transactions on Embedded Computing Systems publication staff as well, who collaborated with us at every step.

We hope that this special issue will inspire new ideas for research and development in the field of efficient and secure implementation of post-quantum cryptographic algorithms on embedded devices.

Shivam Bhasin, Nanyang Technological University, Singapore, Singapore

Fabrizio De Santis, Siemens AG, Munich, Germany

Francesco Regazzoni, University of Amsterdam, Amsterdam, The Netherlands and Università della Svizzera italiana, Lugano, Switzerland