Integrating Post-Quantum Cryptography (PQC) on Arty-Z7
1. Intro
Post-quantum cryptography (PQC) is moving from theory to engineering reality. With NIST-standardized algorithms ML-KEM (FIPS 203) and ML-DSA (FIPS 204) now finalized, FPGA developers face a practical challenge:
How to integrate these algorithms efficiently on resource-constrained hardware?
In this article, we walk through how the KiviPQC-Box IP Core works, how it connects to an AMD Zynq-7000 system via AXI4-Lite, and how the software stack (HAL, driver, application layer) helps developers build secure systems with minimal overhead. The goal is to give FPGA and embedded software engineers a clear, practical view of what PQC integration looks like on a real platform.
2. What is the KiviPQC-Box?
The KiviPQC-Box is an IP core that combines the algorithms ML-DSA and ML-KEM into one single package. ML-DSA and ML-KEM are algorithms that are standardized by NIST as post-quantum algorithms defined in NIST FIPS 204 and NIST FIPS 203 and provide cyber secure protection against the threat of quantum computers. ML-KEM enables two parties to securely establish a shared secret key over an untrusted public channel and ML-DSA ensures the authenticity and integrity of signed data far into the future. With both algorithms implemented in KiviPQC-Box you can:
- Generate digital signatures to verify data integrity and detect any unauthorized modifications of signed data
- Ensure authenticity by proving that a digital signature was created by the stated signer (non-repudiation).
- Securely establish a shared secret key over an untrusted public channel that creates the foundation for encrypted communication
The KiviPQC-Box includes a standard AMBA® AXI4-Lite interface for easy hardware integration and provides platform-independent C code, HAL, and API drivers to simplify software integration with the host processor.
2. Hardware Integration
2.1 Architecture
The KiviPQC IP Core is supported by the AMD Vivado FPGA tools. For this implementation, we utilize the Digilent Arty-Z7 development board that utilizes a Cortex-A9 processor based Zynq-7000 Processing System (PS) that interfaces with the KiviPQC IP core. The PS is configured to include built-in on-chip memory (OCM) and DDR RAM as application RAM, a 4-bit GPIO, an UART and a general purpose AXI master port. The PS is placed within a Vivado block design (see Figure 1) which is used to connect the PS to an AXI4-Lite bridge interfacing the KiviPQC IP-Cores (PL).
In this architecture:
- The PS (ARM CPU) acts as the host controller, running the application software and driver layer
- The PL (FPGA) hosts the KiviPQC-Box IP Core
- The AXI4-Lite interface connects the KiviPQC IP Core to the P
KiviPQC-Box IP core demo design block diagram
2.2 Interfacing KiviPQC-Box IP Core
Integration into Vivado is easy thanks to a standardized IP packaging flow and a standardized interface. The KiviPQC IP Core is packaged as a Vivado IP and can be imported to the IP catalogue of Vivado. It behaves like a classic AXI slave.
- Block design: In the Vivado block design, the Zynq Processing System (PS) is connected to an AXI interconnect. The IP Core is directly connected using the Vivado automated tool flow.
- Clocking: The IP core uses a single clock signal for the entire sequential logic and the host interface. The clock can be easily set up using the PS block design settings.
- Resource consumption: Even on smaller FPGAs, the footprint remains manageable. For example, a KiviPQC-Box-Tiny core occupies only about 3900 LUTs on AMD FPGAs.
After synthesis and implementation, the bitstream is created and the hardware description (.xsa) is exported. The following diagram shows the block design embedding the PS. The hardware description file can be utilized to start software development on the Arty Z7 board.
Arty Z7 block design with PS, PS reset, AXI interconnect, and KiviPQC IP Core
3. Software Integration
The KiviPQC IP Core software API is based on C code and can be ported to several host controller platforms. Those could be based on ARM or RISC-V CPUs. The KiviPQC software API can be used with AMD Vitis (Eclipse or VS Code based IDE) or proprietary toolchains.
KiviCore provides a layered software architecture to simplify development, consisting of Low-Level Driver (DRV), and Hardware Abstraction Layer (HAL). The Application Layer (APP) is added by the user. The following figure shows the layers of the basic software architecture for using the KiviPQC IP core in a host system. The layers are stacked vertically, showing the flow of communication from the user-facing application down to the physical hardware and back up.
KiviPQC Software Architecture
3.1 Hardware Abstraction Layer
The HAL provides low-level access to the IP’s register map. It defines register offsets, constants, and memory-mapped I/O primitives. It performs no error checking, leaving higher layers free to enforce safety. Its purpose is portability: any platform-specific differences in MMIO access are isolated here.
3.2 Driver Layer
The driver abstracts the PQC hardware and provides a validated, safe API. This layer exposes simple, operation-level functions: KeyGen, Encaps, Decaps, Sign, Verify, without requiring knowledge of register-level details. Its responsibilities include:
- Validating parameters and buffer sizes
- Setting and checking PQC modes
- Ensuring operations are only started when the core is ready
- Monitoring interrupt flags, ready/busy states, and timeouts
- Handling hardware errors (entropy faults, ML-KEM/ML-DSA errors, config errors)
- Providing debugging and logging utilities
3.3 Application Layer
There is a reference application layer available which contains reference implementations for both ML-KEM and ML-DSA. It shows how to initialize the PQC subsystem, execute key exchange flows, sign messages, verify signatures, and integrate PQC into real systems.
Because it builds on the driver, the application code remains concise and hardware-agnostic.
4. Summary
The KiviPQC-Box provides a compact and practical way to bring NIST-standardized post-quantum cryptography onto FPGA-based systems. By combining ML-KEM and ML-DSA into a single IP core, offering a small footprint, and exposing a clean AXI4-Lite interface, it fits naturally into existing ARM and RISC-V-based SoC designs.
On the software side, its layered architecture - HAL, driver, and application layer - keeps the integration effort low and ensures that both hardware interactions and PQC workflows remain transparent and maintainable. Whether you need key establishment, digital signatures, or a full PQC subsystem, the KiviPQC-Box provides a complete hardware/software package that is straightforward to port and deploy.
5. Try it Yourself
You can test the full hardware + software flow yourself.
Register now in the KiviCore Evaluation Portal to download free time-bombed evaluation packages, including:
- Netlist IP core
- Integration examples
- Complete HAL & driver functionality
- Documentation
Start integrating PQC hardware and get your free eval package now!
Related Semiconductor IP
- Post-Quantum Key Encapsulation and Digital Signature IP Core
- Post-Quantum Digital Signature IP Core
- Post-Quantum Key Encapsulation IP Core
- Ultra-Low-Power LPDDR3/LPDDR2/DDR3L Combo Subsystem
- 1G BASE-T Ethernet Verification IP
Related Blogs
- Side-Channel Attacks On Post-Quantum Cryptography
- The future of public key cryptography will be post-quantum cryptography
- Why Now Is the Time to Address Quantum Computing's Impact on Cryptography
- Mitigating Side-Channel Attacks In Post Quantum Cryptography (PQC) With Secure-IC Solutions
Latest Blogs
- AV1 Image File Format Specification Gets an Upgrade with AVIF v1.2.0
- Industry’s First End-to-End eUSB2V2 Demo for Edge AI and AI PCs at CES
- Integrating Post-Quantum Cryptography (PQC) on Arty-Z7
- UA Link PCS customizations from 800GBASE-R Ethernet PCS Clause 172
- Enabling End-to-End EDA Flow on Arm-Based Compute for Infrastructure Flexibility