NIST recently announced the winners of its post-quantum cryptography (PQC) standardization process and outlined the next steps in its ongoing standardization efforts. With fewer algorithms now in focus of the cryptographic community, the time has come to intensify the investigation of efficiency and physical security aspects of PQC algorithms. This is required to enable PQC in real-life applications and to provide feedback to NIST and submitters before final standardization. To allow widespread adoption, the implementation of PQC in current microchip technologies must be possible within application- or platform-specific constraints such as area, memory, time, power, and energy budgets. Furthermore, more and more PQC use-cases require resistance to physical attacks like power analysis.

The primary aim of this Dagstuhl Seminar is to initiate deeper investigations into secure and efficient implementations of PQC on hardware and hardware/software codesign platforms. In this direction, this seminar aims to bring together world-renowned researchers in theoretical cryptology, applied cryptography, cryptographic hardware and software systems, and physical security. The goal is to identify new challenges and research directions, exchange thoughts and ideas, and initiate collaborations on researching secured and efficient design methodologies for PQC.

Specific challenges we aim to address are:

• Efficiency metrics: What are the correct metrics to compare implementations of diverse PQC schemes?
• HW/SW Co-design: How to partition operations of PQC schemes between HW and SW?
• Agility and reuse: How can we design HW accelerators supporting a wide variety of PQC schemes?
• Physical attacks: Shall countermeasures be implemented in HW or SW, can we exploit the mathematical properties of some PQC algorithms to derive low-overhead countermeasures?
• Certification and security metrics for PQC: What are the correct metrics to assess the physical security of PQC implementations?
• Proactive security: Could new PQC schemes be designed such that they become more resistant to physical attacks?

Creative Commons BY 4.0

Thomas Pöppelmann, Sujoy Sinha Roy, and Ingrid Verbauwhede