Defending the Digital Realm in the Quantum Era: A Hardware IP Core for Post-Quantum Key Encapsulation
Builders of tomorrow’s digital infrastructure can now move confidently toward resilience, enabled by silicon-ready post-quantum IPs from CAST.
What’s It All About?
Imagine a medieval castle that has always relied on iron gates and elaborate locks to keep invaders out. Those defenses seemed unbreakable for centuries. But one day, a new siege engine appears—able to tear through the strongest gates in hours. The old defenses are suddenly useless. To protect the castle, the guards install locks of a completely new kind—those that cannot be forced open, no matter how powerful the siege engine becomes.
In today’s digital world, our “castles” are data and communications, the siege engine is the quantum computer and the new unbreakable locks are post-quantum cryptographic mechanisms and standards. Digital IP cores are the actual lock mechanisms—engineered in silicon—ready to protect digital infrastructure against quantum attacks.
In this blog article you will learn how we reached post-quantum cryptography (PQC) standards and what they are, why they are central to post-quantum security transition and how dedicated hardware IP cores make it easier to integrate these powerful new mechanisms directly into chips, systems and secure infrastructure. By the end, you will be familiar with one of the most crucial PQC mechanisms—which realizes Key Encapsulation (KEM)—and understand how the hardware accelerated solution provided by CAST offers future-proof protection with real-world performance, scalability and integration benefits.
Background
Quantum computers, once a far-off research dream, are steadily progressing to the point where well-established and widely adopted cryptographic mechanisms such as RSA and ECC will be rendered obsolete. Specifically, there are two algorithms, both invented in the mid-90s, that can theoretically make it dramatically easier to attack today’s cryptography. The first and most important of these is Shor’s algorithm, which reduces the solving time of the number factorization problem (very hard in classical computers) from exponential complexity to logarithmic complexity. In other words, from billions of years to some weeks.
The other algorithm is Grover’s algorithm, which searches for original inputs to a black box in order to find a match with an output. This algorithm can be used for brute force attacking keys really fast but is proportional to the size of the key. In practice, it goes from many billions to fewer billions of years to find the key. Speaking in more security-related terms: a 256-bit AES key offers 128 bits of security against quantum computers.
To make a long story short, in practice, Grover’s algorithm weakens AES but Shor’s algorithm completely breaks RSA, Finite Field DH and ECC DH.
In anticipation of this, in 2016 NIST (the US National Institute of Standards and Technology) launched a global competition for developing and standardizing the next generation of public key algorithms. In 2024, final versions of the first three PQC standards were released, representing a generational shift in digital security:
- FIPS 203 – ML-KEM, based on CRYSTALS-Kyber, for key encapsulation
- FIPS 204 – ML-DSA, based on CRYSTALS-Dilithium, for digital signatures
- FIPS 205 – SLH-DSA, based on SPHINCS+, enhanced version of digital signatures
Here we will discuss ML-KEM as defined in NIST FIPS 203.
ML-KEM Mechanism
The Module Lattice-based Key Encapsulation Mechanism (ML-KEM) is a quantum-safe exchange of a shared secret key between two parties (client and server) over a public channel. During the key sharing, the client generates a decapsulation key and an encapsulation key, keeping the decapsulation key as private and sending the encapsulation key as public to the server. The server generates a copy of the shared key and an associated ciphertext using the client’s encapsulation key and sends it to the client. Finally, the client generates a copy of the same shared key using the ciphertext received from the server and the kept private decapsulation key.
 |
NIST FIPS 203 specifies three parameter sets for ML-KEM, each offering distinct trade-offs between security strength and performance: ML-KEM-512, ML-KEM-768 and ML-KEM-1024. The details of these three parameter sets (including key bit widths and security strength) can be found here: NIST FIPS 203.
A Hardware ML-KEM IP Core
The KiviPQC-KEM ML-KEM Key Encapsulation IP core provided by CAST and engineered by KiviCore GmbH is a hardware accelerator for ML-KEM that supports key generation, encapsulation and decapsulation procedures, for all three ML-KEM parameters sets (ML-KEM-512, ML-KEM-768 and ML-KEM-1024) making it suitable for both (client/server) sides of key exchange. KiviPQC-KEM IP is available with Microchip’s PolarFire® FPGAs and SoCs.
NIST recommends using ML-KEM-768 as the default parameter set due to its substantial security margin at a reasonable performance cost. In situations where this is impractical, ML-KEM-512 may be utilized. Alternatively, if even higher security levels are necessary, ML-KEM-1024 may be utilized. The core makes it easy to select the best parameter set for each particular application. This selection can be done prior to the initialization of the forthcoming PQC procedure.
The core offers enhanced security by being a self-contained engine with minimal attack surface and by employing protection against timing-based side channel attacks. At the same time, it is resource-efficient with minimal logic utilization, while providing hardware CPU offloading and acceleration of computationally intensive PQC operations.
Integrating KiviPQC-KEM IP into any SoC for FPGA implementation is straightforward. It is a LINT-clean, re-usable design and the communication with the host is accomplished by a Host Interface Module handling specific control and data flow, connected with an AMBA® AXI4-Lite subordinate port.
The core is currently offered with a software implementation of a Random Byte Generator (RBG), but it can also be integrated with an external (third-party) entropy source and RBG, via a fully customized interface, depending on the entropy/RBG selection.
Is This Suitable for Your Application?
The KiviPQC-KEM IP core offers quantum-resistant security for a wide range of applications. In public-key infrastructure and cloud security, it provides long-term confidentiality and integrity for sensitive information. It can play a vital role in safety-critical infrastructure and networks, safeguarding communication and exchange channels from potential threats. In the domain of secure IoT device communication, the core provides strong cryptographic support to protect shared secret keys. Additionally, it is well-suited for hardware security modules (HSMs) and Trusted Platform Modules (TPMs), enhancing secure key management and cryptographic processing. Its capabilities extend to supporting MACsec key agreement (MKA) protocols for secure Ethernet communications, Internet Key Exchange (IKEv2) protocols, strengthening VPN and secure network authentication mechanisms and edge computing.
What’s There for You?
If protecting your data and communication “castles” is a concern for you, know that the “barbarians” are moving fast and it’s already past the time to start considering post-quantum security measures. In particular, if you’re already employing key encapsulation mechanisms in the security architecture of your system or application, then you need to upgrade this to PQC sooner rather than later. And KiviPQC-KEM IP core is one of the best available ways to do this.
All the cores CAST licenses follow the customer-oriented philosophy of A Better IP Experience, i.e. Impeccable Quality, Flexible Licensing and Industry-leading Support.
If you want to learn more about KiviPQC-KEM, visit CAST’s website or contact directly George Athanasiou.
If you want to learn more about how to include the KiviPQC-KEM IP in your next PolarFire SoC product, there is a demo available that highlights secure, quantum-resistant data communication between an FPGA board and a PC. A user-friendly GUI on the PC controls the demo application, which handles the generation of the encryption key and the encapsulation and decapsulation of data.