Home Blog Security Highlight Security Highlight: Post-Quantum Cryptography on Embedded: challenges and opportunities

Security Highlight: Post-Quantum Cryptography on Embedded: challenges and opportunities

Author: Jasper van Woudenberg

Apple’s recent announcement regarding the integration of Post-Quantum Cryptography (PQC) into iMessage underscores the urgency and importance of adopting quantum-resistant encryption methods. We are moving to an era where quantum computing threatens the confidentiality of current cryptographic protocols, specifically around “harvest now, decrypt later” attacks: the ability to store communications today, and crack the keys once we have a functional quantum computer. With embedded systems that can be physically attacked, we need to even move a step further: hardware attack resistant PQC. This is announcement presents an opportunity to discuss the challenges in implementing post-quantum cryptography algorithms.

Interestingly, side channel or fault attacks are not mentioned in the blog post. For a messaging app, this makes sense, because hardware attacks are local, and local attacks won’t go after a communication protocol. However, there are other targets for which local attacks are relevant.

The Need and Challenges for PQC in Embedded Systems

Take, for instance, your average embedded SoC. It comes with a root of trust, which typically uses Elliptic Curve Cryptography (ECC) to authenticate its system code before running it. With quantum computers, the ECC private keys can be broken with only the knowledge of the public keys. This leads to breaking code authentication, allowing attackers to run arbitrary code on the system, and bypassing any local security controls.

Now consider the hypothesis we’ll have quantum computing in 5-10 years. Embedded systems, integral to a myriad of applications from automotive to IoT devices, are particularly at risk due to their long service life (e.g. up to 20 years in the automotive industry) and exposure to physical attacks.

Implementing PQC in embedded systems presents unique challenges. These systems often operate with limited processing power, memory, and energy, constraints that are magnified in ASIC and software implementations alike. Additionally, the potential for side-channel and fault attacks necessitates that PQC implementations are designed with these vulnerabilities in mind.

Current State of PQC in Embedded Systems

The non-updateable nature of many embedded systems, exemplified by non-modifiable ROM code implementing the root of trust, highlights the urgency of incorporating PQC today. However, the relative youth of PQC, illustrated by the breaking of the SIKE algorithm last year suggests caution. The “belts and suspenders” approach, combining ECC with PQC, as seen in Apple’s iMessage protocol, emerges as a pragmatic interim solution. It is not without risk: we know from experience that more code means more FI attack surface, and if ECC gets broken with QC we still need local attack resistance in PQC.

Yet, combining multiple algorithms may not always be feasible due to the functional and performance constraints of embedded devices. As the field evolves, requests for verifying SCA and FI resistance in PQC implementations are increasingly common among customers, especially when they are exploring the right balance between security and performance.

Best practices

As PQC continues to develop, adhering to the latest research on countermeasures, and avoiding blindly taking “vanilla” open-source implementations without SCA and FI protections is critical. The path forward involves preparing for the eventuality of some PQC algorithms being compromised, necessitating a strategy for crypto agility to migrate to alternative solutions or mitigate the impacts of compromised embedded systems. This approach will become integral as certification schemes evolve to phase out outdated or broken algorithms.


The integration of Side-Channel Attack and Fault Injection resistant Post-Quantum Cryptography in embedded systems is not just a technological necessity; it’s a strategic imperative to protect against the dual threats of quantum computing and physical attacks. Riscure has, and will be, developing analysis modules to ensure the resilience of PQC implementations in both pre-silicon simulation and post-silicon testing. A collective effort between researchers and engineers building (and breaking) countermeasures, balancing security and usability is required to address the challenges and secure the future of embedded systems.

Share This