Post-Quantum Cryptography Hardware: Monolithic Implementations vs. Hardware-Software Co-Design

At PQShield, we've developed dedicated coprocessor(s) for lattice schemes, hash-based signatures, and code-based cryptography. These cryptographic modules are commercial rather than academic and designed to meet customer specifications such as a specific performance profile or Common Criteria and FIPS security certification requirements. Hardware implementations of legacy RSA and Elliptic Curve cryptography were generally just "big integer" engines. Post-quantum algorithms use a much broader range of primitive operations and are generally more complex.<br/> Monolithic hardware implementations are self-contained modules implementing the entire algorithm. A monolithic implementation has a clear security boundary but will lead to inflexibility and a relatively large area. On the other hand, a co-design approach will offload only those computations to special memory-mapped peripherals or custom instructions that benefit from it the most, e.g., SHAKE or large polynomial/vector/matrix circuitry. We discuss our experiences with both of these approaches, drawing from our engineering experience.