April 10 – 13 , 2023, Dagstuhl Seminar 23152

Secure and Efficient Post-Quantum Cryptography in Hardware and Software


Thomas Pöppelmann (Infineon Technologies AG – Neubiberg, DE)
Sujoy Sinha Roy (TU Graz, AT)
Ingrid Verbauwhede (KU Leuven, BE)

For support, please contact

Christina Schwarz for administrative matters

Andreas Dolzmann for scientific matters


NIST recently announced the winners of its post-quantum cryptography (PQC) standardization process and outlined the next steps in its ongoing standardization efforts. With fewer algorithms now in focus of the cryptographic community, the time has come to intensify the investigation of efficiency and physical security aspects of PQC algorithms. This is required to enable PQC in real-life applications and to provide feedback to NIST and submitters before final standardization. To allow widespread adoption, the implementation of PQC in current microchip technologies must be possible within application- or platform-specific constraints such as area, memory, time, power, and energy budgets. Furthermore, more and more PQC use-cases require resistance to physical attacks like power analysis.

The primary aim of this Dagstuhl Seminar is to initiate deeper investigations into secure and efficient implementations of PQC on hardware and hardware/software codesign platforms. In this direction, this seminar aims to bring together world-renowned researchers in theoretical cryptology, applied cryptography, cryptographic hardware and software systems, and physical security. The goal is to identify new challenges and research directions, exchange thoughts and ideas, and initiate collaborations on researching secured and efficient design methodologies for PQC.

Specific challenges we aim to address are:

  • Efficiency metrics: What are the correct metrics to compare implementations of diverse PQC schemes?
  • HW/SW Co-design: How to partition operations of PQC schemes between HW and SW?
  • Agility and reuse: How can we design HW accelerators supporting a wide variety of PQC schemes?
  • Physical attacks: Shall countermeasures be implemented in HW or SW, can we exploit the mathematical properties of some PQC algorithms to derive low-overhead countermeasures?
  • Certification and security metrics for PQC: What are the correct metrics to assess the physical security of PQC implementations?
  • Proactive security: Could new PQC schemes be designed such that they become more resistant to physical attacks?

Motivation text license
  Creative Commons BY 4.0
  Thomas Pöppelmann, Sujoy Sinha Roy, and Ingrid Verbauwhede


  • Cryptography And Security
  • Hardware Architecture


  • Post-quantum cryptography
  • Hardware security
  • Efficient implementations
  • Side-channel analysis


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.