Search the Dagstuhl Website
Looking for information on the websites of the individual seminars? - Then please:
Not found what you are looking for? - Some of our services have separate websites, each with its own search option. Please check the following list:
Schloss Dagstuhl - LZI - Logo
Schloss Dagstuhl Services
Within this website:
External resources:
  • DOOR (for registering your stay at Dagstuhl)
  • DOSA (for proposing future Dagstuhl Seminars or Dagstuhl Perspectives Workshops)
Within this website:
External resources:
Within this website:
External resources:
  • the dblp Computer Science Bibliography

Dagstuhl Seminar 23152

Secure and Efficient Post-Quantum Cryptography in Hardware and Software

( Apr 10 – Apr 13, 2023 )

(Click in the middle of the image to enlarge)

Please use the following short url to reference this page:





Our present-day public-key infrastructures primarily rely on RSA and elliptic curve cryptography (ECC). In case a powerful quantum computer is built in the near future, these public-key infrastructures will become completely insecure. Post-quantum cryptography (PQC) aims at developing new cryptographic protocols that will remain appropriately secure even after powerful quantum computers are built.

Even if powerful quantum computers are still far out, replacement algorithms for public-key algorithms need to be developed and implemented now. These algorithms must show appropriate cryptographic security, i.e., resistant to the attacks from quantum and classical computers. On top, their implementations need to be efficient in current microchip technologies, implementable within the constrained area, time, power, and energy budgets. This is very important to enable PQC-based protection of information processed by (battery-powered) Internet of things (IoT) devices or smart cards. At the same time, more and more use-cases require resistance to physical attacks. When an attacker has physical access to a device, the attacker may try to manipulate or observe it during cryptographic operations. The most common physical attacks are side-channel and fault attacks that usually aim to extract a secret key.

The existing PQC algorithms are classified into five categories depending on their underlying hard problems: lattice-based, multivariate polynomial-based, hash-based, code-based, and supersingular isogeny-based. Of them, lattice-based PQC is currently the frontrunner as evident from the fact that the majority of the PQC candidate schemes that were submitted to NIST’s Post Quantum Cryptography Standardisation project are lattice-based. A significant volume of research has been performed on studying the security, performance, and application aspects of lattice-based PQC and even more narrowly focused on the algorithms submitted to the NIST call.

There is a need to have a diverse set of algorithms for post-quantum public-key cryptography. One main concern is security and risk management: if a specific class of PQC becomes weaker or is even considered broken in the advent of new cryptanalysis, then there must be other reliable classes of PQC that will offer high security. Indeed the 4th round of NIST’s PQC standardization, which will start at the end of the 3rd round, will aim at broadening the set of PQC algorithms. Furthermore, in this direction, NIST indicated that a new call for proposals for PQC signature algorithms (focusing on non-lattice-based algorithms) is planned with a deadline in 2023. Besides the security aspects, each class of PQC has its own advantages. For example, code-based key agreement schemes have small ciphertexts and could be useful in applications where the public keys are known. The isogeny-based key agreement scheme SIKE has the smallest public-key and a small ciphertext size but relatively low performance. In the last few years, several new isogeny-based signature schemes have been developed with small key and signature sizes. Hash-based signature schemes have security guarantees based on hash functions and they have the advantage of (re)using a hash hardware module if the hardware platform has it. Multivariate signature schemes offer fast signing and verifying and very short signatures.

This Dagstuhl Seminar focused on answering the following questions in the context of post-quantum cryptography.

  • Efficiency and correct metrics: Depending on the application, efficiency can be the area or memory size, throughput or latency, power and energy, or a combination of them. Can we have tailored implementations to satisfy one or several such metrics?
  • HW/SW Co-design: The right form of interaction of a CPU with HW-based post-quantum acceleration needs to be determined: Options are instruction set extension or usage of domain-specific co-processors. How to determine the splitting of computation tasks between HW and SW?
  • Agility and reuse: How can complex HW accelerators and controlling SW be reused? For example, can a compact HW accelerator be reused for a high throughput version? And how easy can different processing units, such as polynomial arithmetic or hash modules, support multiple schemes?
  • Physical attacks: For many use-cases, PQC implementations need to be resistant to side-channel and fault-based attacks. Are low overhead countermeasures feasible? Shall countermeasures be implemented in HW or SW? Can we exploit the mathematical properties of some PQC algorithms to derive low-overhead countermeasures?
  • Proactive security: Can we construct new PQC algorithms in such a way that they become more resistant to physical attacks and more efficient in HW and SW by design?

To find answers to the above-mentioned questions, the following workgroups were formed:

  • Efficient implementation aspects of PQC
  • Physical security aspects of PQC
  • Theoretical aspects of PQC
  • Application and migration
Copyright Thomas Pöppelmann, Sujoy Sinha Roy, and Ingrid Verbauwhede


NIST recently announced the winners of its post-quantum cryptography (PQC) standardization process and outlined the next steps in its ongoing standardization efforts. With fewer algorithms now in focus of the cryptographic community, the time has come to intensify the investigation of efficiency and physical security aspects of PQC algorithms. This is required to enable PQC in real-life applications and to provide feedback to NIST and submitters before final standardization. To allow widespread adoption, the implementation of PQC in current microchip technologies must be possible within application- or platform-specific constraints such as area, memory, time, power, and energy budgets. Furthermore, more and more PQC use-cases require resistance to physical attacks like power analysis.

The primary aim of this Dagstuhl Seminar is to initiate deeper investigations into secure and efficient implementations of PQC on hardware and hardware/software codesign platforms. In this direction, this seminar aims to bring together world-renowned researchers in theoretical cryptology, applied cryptography, cryptographic hardware and software systems, and physical security. The goal is to identify new challenges and research directions, exchange thoughts and ideas, and initiate collaborations on researching secured and efficient design methodologies for PQC.

Specific challenges we aim to address are:

  • Efficiency metrics: What are the correct metrics to compare implementations of diverse PQC schemes?
  • HW/SW Co-design: How to partition operations of PQC schemes between HW and SW?
  • Agility and reuse: How can we design HW accelerators supporting a wide variety of PQC schemes?
  • Physical attacks: Shall countermeasures be implemented in HW or SW, can we exploit the mathematical properties of some PQC algorithms to derive low-overhead countermeasures?
  • Certification and security metrics for PQC: What are the correct metrics to assess the physical security of PQC implementations?
  • Proactive security: Could new PQC schemes be designed such that they become more resistant to physical attacks?
Copyright Thomas Pöppelmann, Sujoy Sinha Roy, and Ingrid Verbauwhede

  • Aydin Aysu (North Carolina State University - Raleigh, US) [dblp]
  • Andrea Basso (University of Bristol, GB) [dblp]
  • Gaetan Cassiers (TU Graz, AT) [dblp]
  • Jan-Pieter D'Anvers (KU Leuven, BE) [dblp]
  • Thomas Eisenbarth (Universität Lübeck, DE) [dblp]
  • Tim Fritzmann (Infineon Technologies AG - Neubiberg, DE)
  • Mike Hamburg (Rambus - Vught, NL) [dblp]
  • Matthias Kannwischer (Academia Sinica - Taipei, TW) [dblp]
  • Patrick Karl (TU München, DE) [dblp]
  • Ayesha Khalid (Queen's University of Belfast, GB) [dblp]
  • Ahmet Can Mert (TU Graz, AT) [dblp]
  • Peter Pessl (Infineon Technologies AG - Neubiberg, DE) [dblp]
  • Christophe Petit (UL - Brussels, BE & University of Birmingham, GB) [dblp]
  • Thomas Pöppelmann (Infineon Technologies AG - Neubiberg, DE) [dblp]
  • Thomas Prest (PQShield - Paris, FR) [dblp]
  • Prasanna Ravi (Nanyang TU - Singapore, SG & Temasek Labs - Singapore, SG) [dblp]
  • Mélissa Rossi (ANSSI - Paris, FR) [dblp]
  • Simona Samardjiska (Radboud University Nijmegen, NL) [dblp]
  • Erkay Savas (Sabanci University - Istanbul, TR) [dblp]
  • Tobias Schneider (NXP Semiconductors - Gratkorn, AT) [dblp]
  • Sujoy Sinha Roy (TU Graz, AT) [dblp]
  • Rainer Steinwandt (University of Alabama in Huntsville, US) [dblp]
  • Marc Stöttinger (Hochschule RheinMain, DE) [dblp]
  • Ingrid Verbauwhede (KU Leuven, BE) [dblp]
  • Bo-Yin Yang (Academia Sinica - Taipei, TW) [dblp]

  • Cryptography and Security
  • Hardware Architecture

  • Post-quantum cryptography
  • Hardware security
  • Efficient implementations
  • Side-channel analysis