OpenTitan’s Transition to Side-Channel Resilient Post-Quantum Cryptography

When OpenTitan® launched in 2019, it was the world’s first open source root of trust (RoT), built in collaboration between Google and multiple commercial and academic partners. Today, numerous partners are invested in OpenTitan’s success — countering not just today’s security challenges but also preparing for the post quantum cryptography (PQC) era.

Post Quantum Cryptography

The predicted emergence^{1 2} of commercially viable quantum computers represents a paradigm shift for our industry. Their ability to dramatically speed up certain algorithms considerably affects specific fields of interest such as cryptography, finance and artificial intelligence.

Of these areas, cryptography is arguably undergoing the most significant alteration — because cryptanalytic attacks leveraging the particular nature of quantum hardware degrade the security guarantees of virtually all traditional asymmetric cryptographic algorithms. While symmetric algorithms such as AES can retain their original security levels by having their key lengths increased, the situation is more delicate for asymmetric primitives where security relies on specific mathematical problems being very difficult to solve. Difficult for classical computers that is — unfortunately many of these can be solved efficiently by quantum machines³ — including most of the public-key procedures underpinning digital signatures and the security of the world-wide web. Using longer keys in this case doesn’t work — the legacy algorithms must be replaced in their entirety for the systems relying upon them to remain secure.

This imminent security degradation in classical public-key cryptography has spurred researchers to find quantum-resistant alternatives, in a new discipline that’s become known as post-quantum cryptography, or PQC. The key challenge has been to develop public-key algorithms whose security is based on different mathematical problems believed to be difficult to solve even with the help of a quantum computer. NIST concluded its open standardisation process in August of 2024 and approved a portfolio of four quantum-resistant public-key algorithms, three of which are usable for digital signatures⁴. Since then, we are in a transition phase where legislative bodies urge entities deploying cryptography to start implementing and eventually switch to PQC algorithms within the next 5 to 10 years^{5 6 7 8} .

This endeavour is non-trivial, time- and resource-consuming, and incremental in nature. It must be executed with the utmost diligence — inherent of course to every cryptographic implementation, but particularly so when new algorithms are being adopted.

OpenTitan

The first open source project to build a transparent, commercial-grade reference design and integration guidelines for silicon RoT chips — already includes an array of industry-vetted symmetric cryptographic hardware IP blocks as well as software implementations of traditional public-key algorithms as standardized by NIST FIPS-186 and IETF⁹, plus a hardware-accelerated implementation of the asymmetric PQC algorithm SPHINCS+, aka FIPS-205 SLH-DSA. This early experience of the OpenTitan ecosystem in creating PQC-enhanced systems, together with that platform’s role as a nexus for engineering and academic excellence makes OpenTitan an ideal vehicle into which to adopt new, standardised PQC schemes. For example, our existing implementation of the SPHINCS+ signature verification algorithm integrated into the first OpenTitan production silicon¹⁰ is compliant with FIPS-205 SLH-DSA.

However, the PQC implementation space is still not as extensive as for example the implementation of block ciphers or hash functions in the symmetric realm. This is not only due to the relative novelty of the involved algorithms but also their increased overall algorithmic complexity — a significant step up from previous non-quantum-resistant schemes¹¹. PQC’s relative lack of maturity is perhaps most evident when it comes to optimisation of both software and hardware. For example, NIST’ standardised PQC algorithms require comparably large keys and many computational cycles per execution, which can pose a serious hindrance when considering their implementation in resource-constrained systems (which are, nevertheless, equally exposed to implementation attack in a quantum world). As a result, extending OpenTitan to support the implementation of other PQC algorithms, Dilithium, aka FIPS-204 ML-DSA, and Kyber, aka FIPS-203 ML-KEM as required for CNSA 2.0 compliance, including hardening against physical attacks on OpenTitan’s Big Number Accelerator (OTBN), which is a dedicated, programmable cryptographic accelerator, is not straightforward and requires a multi-pronged hardware extension of OTBN.

The Hardening Challenge

For devices targeting security certification (for example under Common Criteria), a cryptographic implementation is only truly viable if it is hardened against side-channel and fault-injection attacks in order to thwart an adversary that attacks a primitive not on the algorithmic level but through its implementation (be that hardware, software, or some combination of both).

And just as with optimisation, hardening of PQC algorithms is less well understood as for classical primitives. As such, even though research in both optimisation and hardening is increasing in intensity, any current PQC implementation will have to necessarily adapt to the state of the art as it matures. As a point of reference, hardening classical public-key schemes was a strenuous, high-effort venture over many years — so a similar effort may reasonably be expected to be required for PQC hardening.

But there are some reasons for optimism too. For example, OpenTitan already includes built-in side-channel and fault-injection countermeasures, together with the bignum coprocessor OTBN and other accelerator blocks that together form a base for bootstrapping secure implementations of PQC algorithms. As a result, OpenTitan is the ideal platform for researchers and corporate developers to benchmark, verify and deploy their own PQC suites — leveraging an open-source model that helps everyone prepare for a post quantum future in a manner that Kerckhoffs would approve¹².

For the last couple of years, research has been compiling a large body of work with respect to secure and efficient implementations of PQC algorithms including memory and performance optimizations as well as side-channel and fault injection hardening. And indeed, some of these works are based on OpenTitan which is something we’re proud to see!

OTBN Hardware Extensions for PQC

In the OpenTitan project, we have thoroughly investigated existing and emerging scientific literature on PQC implementations with the aim of working out a comprehensive set of techniques (see below) that offer not only security guarantees comparable to the already present countermeasures in OpenTitan but also flexibility to adapt in the future before progressing to the actual implementation.

OpenTitan partners have now greenlit the following hardware extensions to OTBN to enable efficient and secure implementations of Dilithium, i.e., FIPS-204 ML-DSA¹³, and Kyber, i.e.,  FIPS-203 ML-KEM, in future versions of OpenTitan.

• Increasing memories: The OTBN data memory will be increased from 4 KiB to 32 KiB in order to accommodate the largest variables required by ML-DSA-87 signature generation including SCA hardening. Together with the required increase in instruction memory, this dominates the overall increase in silicon area for OTBN.
• Adding a KMAC application interface: By means of granting OTBN access to the SCA-hardened OpenTitan KMAC IP block, the numerous calls to the Keccak (SHA-3) hash function can be offloaded which significantly reduces the number of execution cycles as well as the code size.
• Adding a 32-bit single instruction, multiple data (SIMD) ISA extension: This adds support for vectorized additions and multiplications to accelerate the Number Theoretic Transform (a variant of the Discrete Fourier Transform) and more generally polynomial arithmetic, an essential building block of lattice-based cryptography. Besides reducing code size, this leads to a higher computational performance enabling trading off higher compute for lower data memory footprint, enabling us to fit a SCA hardened ML-DSA-87 signature generation into the 32 KiB data memory. Restricting the minimum element size to 32 bits is beneficial for limiting the increase in silicon area and maintaining the critical path delay which is particularly important for internal RoT use cases typically clocking a lot faster than discrete RoT chips like first OpenTitan production silicon. Additional instructions for efficient packing and unpacking of vectors allow reducing the data memory footprint by an additional 25%.
• Adding hardware accelerated mask conversion: Both ML-DSA and ML-KEM combine operations most efficiently hardened against SCA using different masking schemes. When moving between operations, the masked intermediate results then need to be converted. Without hardware support, these mask conversions can quickly take up 90% of the overall run time.

We have now started upstreaming and implementing these changes in the master branch of the OpenTitan code base on GitHub and plan to complete the hardware changes in 2026.

Acknowledgements

We would like to thank Google and Nuvoton for their contributions regarding the OpenTitan PQC architecture and their ongoing collaboration on the project.

Furthermore, we would like to thank the following people for their important and outstanding work and research in the PQC domain and in particular for their support of the OpenTitan project and lowRISC (in alphabetical order):

• Amin Abdulrahman, Felix Oberhansl, Hoang Nguyen Hien Pham, Jade Philipoom, Peter Schwabe, Tobias Stelzer and Andreas Zankl for their work on accelerating ML-KEM and ML-DSA on OpenTitan by means letting OTBN access KMAC and by adding SIMD support, and for presenting their results to the OpenTitan Security Working Group¹⁴.
• Emma Urquhart and Frank Stajano for their work and collaboration around accelerating lattice-based cryptography on OpenTitan through a SIMD extension for OTBN¹⁵.
• Markku-Juhani O. Saarinen for presenting his research on hardening and attacking PQC implementations to the OpenTitan Security Working Group and for providing guidance on how to best approach the PQC hardening.
• Navaneeth Kunhi Purayil, Chistopher Reinwardt, Frank K. Gurkaynak and Luca Benini for their collaboration on multiple student projects carried out at the Integrated Systems Laboratory of ETH Zürich.

The OpenTitan project is stewarded by lowRISC C.I.C. a not-for-profit engineering company that creates and maintains commercial-grade open source silicon designs through its collaborative Silicon Commons® approach. As the post-quantum world comes ever closer the OpenTitan partnership and lowRISC are committed to a roadmap that addresses these challenges head on.

If you would like to find out more about OpenTitan and its approach to PQC then contact us at get-involved@opentitan.org

¹ https://ieeexplore.ieee.org/document/10064036

² https://www.quera.com/blog-posts/current-and-future-state-of-quantum-computing

³ Shor’s algorithm is a prime example of an algorithm that can efficiently solve a problem (in this case factorization of large integers) on a quantum computer that has no known efficient solution on classical hardware.

⁴ A digital signature is a public-key cryptographic algorithm through which, among other things, the authenticity and integrity of a message can be verified.

⁵ https://csrc.nist.gov/pubs/ir/8547/ipd

⁶ https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Crypto/PQC-joint-statement-2025.pdf

⁷ https://www.ncsc.gov.uk/news/pqc-migration-roadmap-unveiled

⁸ https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography

⁹ Currently, OpenTitan supports classical public-key cryptosystems based on either RSA (PKCS, PSS, OAEP) or elliptic curves (ECDSA, ECDH, Ed25519, X25519); various AES modes of operation (most notably AES-GCM); the SHA2 and SHA3 hash functions and their corresponding XOFs; message authentication codes and key derivation functions in the form of HMAC and KMAC; and the AES-CTR-DRBG random bit generator.

¹⁰ https://opensource.googleblog.com/2025/02/fabrication-begins-for-production-opentitan-silicon.html

¹¹ Three of the four standardised NIST PQC algorithms are based on Lattices, a complex mathematical structure whose optimisation and hardening progress is still in its infancy.

¹² https://www.allaboutcircuits.com/industry-articles/150-year-old-principle-at-root-of-secure-silicon-and-software/

¹³ For compliance CNSA 2.0, NIST Level 5, i.e., ML-DSA-87 and ML-KEM-1024, is targeted.

¹⁴ A. Abdulrahman, F. Oberhansl, H. N. H. Pham, J. Philipoom, P. Schwabe, T. Stelzer, A. Zankl (2024). Towards ML-KEM & ML-DSA on OpenTitan. In: 2025 IEEE Symposium on Security and Privacy (SP). https://doi.org/10.1109/SP61157.2025.00220

¹⁵ E. Urquhart and F. Stajano (2024). Acceleration of Core Post-quantum Cryptography Primitive on Open-Source Silicon Platform Through Hardware/Software Co-design. In: Kohlweiss, M., Di Pietro, R., Beresford, A. (eds) Cryptology and Network Security. CANS 2024. Lecture Notes in Computer Science, vol 14905. Springer, Singapore. https://doi.org/10.1007/978-981-97-8013-6_7