lowRISC Tackles Post-Quantum Cryptography Challenges through Research Collaborations

By lowRISC C.I.C.

June 27, 2025

Cryptography is seeing profound changes in preparation for the arrival of viable quantum computers: many classical cryptographic algorithms would be rendered insecure by quantum computers, which can solve problems in practical time for which no efficient solutions are known on classical computers. Cryptographic algorithms (encryption, authentication, key establishment etc.) whose security is based on problems that have efficient solutions in the quantum space cannot be sensibly used anymore in a quantum-equipped world and need to be replaced by alternatives that are secure on both classic computers and quantum computers by basing their hardness on a new set of problems deemed to be intractable even for quantum computers.

Post-quantum cryptography (PQC) recently reached its first tangible beyond-research milestone with the NIST standardisation of a set of quantum-secure encryption and signature algorithms¹ alongside a timeline as to when NIST-compliant software and hardware has to adopt said schemes and deprecate insecure ones². The majority of these algorithms are Lattice-based constructions where a Lattice denotes a specially parametrised polynomial space in which the cryptographic computation unfolds. In July 2022, NIST announced three Lattice-based algorithms as winners of its PQC competition, among them the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM, formerly known as CRYSTALS-Kyber) and the Module-Lattice-Based Digital Signature Standard (ML-DSA, formerly known as CRYSTALS-Dilithium).

The efficient implementation of Lattice-based algorithms is a fiercely active research discipline that owes its prominence to the perceived inefficiencies introduced by the complex nature of Lattice-based cryptography. In the following, we showcase three research projects that tackle the question of accelerating Lattice schemes from different angles that lowRISC® conducted in collaboration with researchers from different universities.

Accelerated Implementation of Lattice-Based Cryptography on OpenTitan

Shortly after NIST announced ML-DSA and ML-KEM as winners, lowRISC started investigating their accelerated implementation on OpenTitan®. OpenTitan, the open-source silicon root of trust (SiRoT) project, features a programmable co-processor named OpenTitan Big Number Accelerator (OTBN) to execute asymmetric cryptography algorithms. While related work had suggested adding new functional units dedicated to PQC into OTBN³, our idea was to reuse OTBN’s existing datapath as much as possible, but in ways that are not possible with existing OTBN instructions. Between October 2023 and June 2024, an MPhil thesis⁴ supervised by Prof. Frank Stajano, Full Professor for Security and Privacy at the University of Cambridge, in collaboration with lowRISC developed and evaluated eight new OTBN instructions to accelerate ML-DSA and ML-KEM. The new instructions vectorize OTBN’s 256 bit wide data path into SIMD elements that are 16 to 32 bit wide, which corresponds to the data width of integers in ML-DSA and ML-KEM. The evaluation focused on the Number Theoretic Transform (NTT), which is the most computationally expensive primitive in ML-DSA and ML-KEM. Compared to a baseline NTT implementation using only existing OTBN instructions, the eight new instructions allow OTBN to execute the NTT 21.1 times faster. The results were published in July 2024⁵. Just one month later, NIST released the ML-KEM (FIPS 203) and ML-DSA (FIPS 204) standards.

Design and Optimization of a PQC ISA Extension for OTBN

lowRISC’s next step was to investigate the impact of extending OTBN with vector instructions on silicon area and critical path delay. To this end, we collaborated with Prof. Luca Benini, Full Professor and Chair of Digital Circuits and Systems at ETH Zurich. Prof. Benini’s group has a very strong background in the design of ASICs and also vector extensions for RISC-V processors. In Fall 2024, a semester thesis implemented, verified, and evaluated different architectural variants and optimizations for area and timing trade-offs, thereby providing important data points for guiding the discussion on how to find a good balance between area, timing impact, and performance gain for OpenTitan. The source code of this work is available on GitHub, and the report as well as the slides are publicly available, too.

Side-Channel Hardened ML-DSA Implementation on OpenTitan

Just like classical cryptography, PQC faces significant hurdles when it comes to implementation security: even functionally correct implementations may leak secret information through so-called side channels. Because PQC schemes are relatively new, the research into techniques to protect cryptographic implementations against side-channel attacks is not as mature. One important aspect that isn’t fully clear yet is the performance impact of securing ML-DSA against these attacks.

To help shed light on this critical area, lowRISC recently collaborated again with Prof. Benini’s group at ETH Zurich on a Master’s thesis to address the challenge of implementing a side-channel hardened version of ML-DSA. The project leveraged insights from a recent paper⁶ which offered a detailed cryptanalysis identifying security-critical variables and functions requiring protection through masking gadgets. The implementation of the hardened ML-DSA implementation on OTBN is available on GitHub.

To verify the efficacy of this approach, a comprehensive leakage assessment was undertaken. This involved power trace capture on an FPGA for both unhardened and hardened implementations, followed by analysis via Test Vector Leakage Assessment (TVLA). The assessment revealed significant leakage in the unhardened version, while the hardened implementation exhibited minimal to no leakage.

Despite the security gains, the hardened implementation incurred a substantial performance overhead, primarily due to the cost of boolean to arithmetic (B2A) and arithmetic to boolean (A2B) masking conversions. To address this, further investigation led to the implementation of a B2A ISA extension accelerating these operations. When also adding a dedicated A2B ISA extension, the accelerated hardened implementation is 3.4 times faster than the hardened baseline implementation.

Conclusion

The shift to post-quantum cryptography (PQC) is a critical undertaking, driven by the impending threat of quantum computers to classical cryptography. As NIST has standardized quantum-secure algorithms such as ML-DSA, the focus is now on their efficient and secure implementation. lowRISC’s research collaborations with the University of Cambridge and ETH Zurich have explored various facets of this challenge on the OpenTitan platform, from accelerating lattice-based cryptography through instruction set extensions to hardening implementations against side-channel attacks.

lowRISC’s clear vision and technical expertise in this area allows us to design and effectively collaborate in the creation of commercial-grade, open source PQC-ready secure silicon.

lowRISC® C.I.C. a not-for-profit engineering company that creates and maintains commercial-grade open source silicon designs through its collaborative Silicon Commons® approach. If you would like to find out more about lowRISC and our approach to PQC, contact us at info@lowrisc.org.

1. NIST (2024). Announcing Approval of Three Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography. https://csrc.nist.gov/News/2024/postquantum-cryptography-fips-approved
2. Moody, D. et al. (2024). Transition to Post-Quantum Cryptography Standards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Internal Report (IR) NIST IR8547 ipd. https://doi.org/10.6028/NIST.IR.8547.ipd
3. Stelzer, T. et al. (2023). Enabling Lattice-Based Post-Quantum Cryptography on the OpenTitan Platform. In Proceedings of the 2023 Workshop on Attacks and Solutions in Hardware Security (ASHES ’23). Association for Computing Machinery, New York, NY, USA, 51–60. https://doi.org/10.1145/3605769.3623993
4. Urquhart, E. (2024). Acceleration of Post-Quantum Cryptography on OpenTitan Big Number Accelerator using Instruction Set Extensions. Trinity College, University of Cambridge. https://www.cl.cam.ac.uk/~fms27/papers/2024-Urquhart-acceleration.pdf
5. Urquhart, E. et al. (2025). Acceleration of Core Post-quantum Cryptography Primitive on Open-Source Silicon Platform Through Hardware/Software Co-design. In: Kohlweiss, M., Di Pietro, R., Beresford, A. (eds) Cryptology and Network Security. CANS 2024. Lecture Notes in Computer Science, vol 14905. Springer, Singapore. https://doi.org/10.1007/978-981-97-8013-6_7 
6. Azouaoui, M. et al. (2023). Protecting Dilithium against Leakage: Revisited Sensitivity Analysis and Improved Implementations. IACR Transactions on Cryptographic Hardware and Embedded Systems. 2023, 4 (Aug. 2023), 58–79. https://doi.org/10.46586/tches.v2023.i4.58-79