Exploring new business opportunities by leveraging emerging Post Quantum Cryptography (PQC) technology is one of the current business trends. It is undeniable that applying Root of Trust (RoT) solution based on Physically Unclonable Function (PUF), which has been proved in the Internet of Things industry, is crucial for establishing a solid foundation for the business. The same philosophy should be applied to PQC-era business and now is the time to make that decision. The PUF technology itself also undergoes major upgrades. The passive types of PUF technology, such as Via PUF, are leading the trend in the PQC business industry due to their insensitivity even to extreme operational conditions. What technical advantages can be expected from the adoption of a Root of Trust solution based on passive PUF technology and why would it be an opportune time for the business to make this decision?
- NIST’s selection of PQC algorithms and securing PQC private keys
The National Institute of Standards and Technology (NIST) has entered the fourth round of standardizing PQC algorithms, selecting four algorithms for standardization, including CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON, and SPHINCS+. Despite the selection, the significance of securing the system, including securing the private key, was not addressed. What if the private keys used in PQC algorithms are exposed or compromised? The entire system’s security can be breached, rendering even the strongest PQC algorithms ineffective. It is equally important to ensure the security of the PQC private key in addition to strengthening the algorithms themselves. To achieve this, a common method is to use hardware security modules (HSMs). HSMs can be used to generate and store cryptographic keys, authenticate devices, and maintain secure communication channels.
- HSMs are good but may be too heavy for IoT applications
For IoT applications, several fundamental factors need to be taken into consideration.
- The PQC algorithms that are designed to be lightweight and computationally efficient, making them suitable for IoT devices should be used. These lightweight PQC algorithms must be embedded in the IoT devices.
- It is essential to secure the private keys of the PQC algorithms using security platforms such as HSM. However, the cost, complexity, and potential performance or latency implications of implementing HSMs in IoT deployments should be carefully considered.
- IoT devices should be aimed to be deployed in a Zero Trust Environment (ZTE), as specified in the NIST special publication SP 800-207, which assumes all network traffic, users, and devices to be untrusted and requires authentication, authorization, and continuous monitoring for system and data security.
For IoT applications with limited computing power and form factor, it may not be feasible to implement the standard PQC algorithms and secure private keys using HSMs in a ZTE. Therefore, it is necessary to explore alternative solutions that are lighter but still capable of providing the same level of security for IoT applications.
An option to improve the security of an IoT system in a ZTE is to integrate a PUF into the security solution along with embedded PQC protocols. This results in a PUF based HSM. This integration can enhance the security of the IoT system, even in a ZTE.
- Passive PUF and Active PUF
The term “passive PUF” indicates the use of passive components like resistors and capacitors, whereas “active PUF” refers to the use of active components like transistors or SRAM cells.
Passive PUFs such as Via PUF provides exceptional reliability, even under extreme operational conditions. This is due to the fact that passive PUF is based on random formation of Vias during standard manufacturing process, which remains unaffected by external factors like temperature and voltage fluctuations. As a result, they offer an advantage over active PUFs, which rely on active device mismatch that can lead to bias issues in deep submicron technology. This makes passive PUFs an excellent choice for deployment in settings where physical damage or environmental stresses are likely, such as industrial IoT applications.
- Zero Trust Security and the Role of PUF
A paradigm shift toward zero trust security has become clear. With attackers constantly improving their skills, the security landscape for enterprises has become increasingly intricate, challenging, and costly. To tackle these difficulties, organizations have adopted the zero trust security approach. This can be interpreted as defensive tactics in a soccer game changing from local area defense to individual defense. Instead of relying on the security of the entire corporate network, such as a firewall, the focus is now on achieving impeccable security at the device level. The principle behind zero trust cybersecurity is “never trust, always verify” .
In a ZTE, the security perimeter of defense is situated on the end device itself, where the PQC private key is stored. Consequently, it is vital to protect the PQC private key in the device, which necessitates a more comprehensive validation process on the end device. Protecting the PQC private key at the device level is a fundamental aspect of zero trust security. However, storing the PQC private key in plain text in the device’s non-volatile memory (NVM) would not achieve this goal. In this regard, PUF technology can play a crucial role. We can encrypt the private keys with a PUF key (i.e. use as a Key Encryption Key) before storing it in NVM as shown in Figure 3. Note that the PUF key itself is never stored in the device but is generated each time demanded. The PUF key disappears once the encryption is done. This would present a significant obstacle to attackers as they would have no tangible target to exploit.
We propose the integration of PUF technology into the system security solution utilizing the PQC protocols to be considered in the PQC standardization process. From a system security point of view, the ultimate question narrows down to how to secure the PQC private keys used in the algorithms. The PUF can provide a hardware root of trust function to bridge the gap between PQC algorithms and system security concerns.
- The PQC algorithms and Generation of Private Keys
It is now necessary to comprehend the process of generating and utilizing PQC private keys in the algorithms. The subsequent two paragraphs outline the details of the two PQC algorithms that have been selected by NIST.
The CRYSTALS-KYBER (or KYBER) is a post-quantum key exchange protocol based on the hardness of the learning with errors (LWE) problem in lattice-based cryptography . The KYBER protocol consists of three core functions: Key Generation, Encrypt/Encapsulate, and Decrypt/Decapsulate as shown in Figure 2. The flow starts with the Key Generation function which generates a pair of a public key and a private key . The private key is a vector s chosen uniformly from (the n-dimensional integer vectors in modulo q). The public key consists of a matrix Aand a vector B which satisfies the equation A s + e = B, where e denotes a small error parameter which is also a secret value .
The CRYSTALS-Dilithium is a digital signing protocol that consists of key generation, signing procedure, and verification process as shown in Figure 3. The key generation function starts with generating a matrix each of whose entries is a polynomial in the ring . The algorithm samples random secret key vectors and . The public key is then computed using .
Note that the PQC private keys are integer vectors randomly chosen from . The public keys are generated by calculating the algorithms using the private keys as inputs. The private keys can be injected from an external source, or internally generated derived from a PUF key as described in Figure 4.
- Protection of PQC private keys by PUF
Depending on the origin of key generation, there are two examples of how private keys for PQC algorithms can be safeguarded. In the case where keys are generated externally on an off-chip side, they must be securely delivered or injected into the chip, which is referred to as the provisioning step during chip production. PUF can enhance the security of the key management system by encrypting the key before saving it in the chip’s memory. It is crucial to perform the provisioning process in a secure environment due to information exchange with the external off-chip world, as depicted in Figure 4(a). On the other hand, if the private keys of PQC are internally generated from a PUF-seeded random number generator, they are not necessarily stored in the chip’s memory. Instead, they are generated every time they are needed, providing stronger protection for private keys, particularly in a zero-trust environment, as shown in Figure 4(b). The next subsections provide a detailed explanation of these two cases.
6-1. Injection of PQC private keys
In a typical security system, a Public Key Infrastructure (PKI) is utilized to encrypt data, digitally sign documents, and authenticate itself using certificates. The process involves a client generating a public and private key pair and sending the public key to a Certificate Authority (CA) for signing, while the client device retains the private key. The client device may also store other confidential data, including PQC private keys, along with the CA-signed certificate, a process known as provisioning. To ensure the key value is not lost in case of power failure, the device typically stores the confidential data in an NVM like flash memory. However, there is a potential risk that the confidential data, including the PQC private key, may be leaked during the delivery process to the NVM. Even if the confidential data is transmitted securely, the NVM data may still be discovered through invasive or non-invasive attacks, such as side channel attacks or fault injection attacks. Therefore, storing unprotected private keys in NVM poses a significant vulnerability to security attacks, and it is recommended to encrypt them before storing in memory. We suggest utilizing a PUF-driven key as the security primitive.
As shown in Figure 4(a), when the private key of PQC algorithms is encrypted with the PUF key before being stored in NVM, even if the NVM data is extracted by attackers, only the encrypted image would be exposed. It is useless information without knowing the PUF key itself.
6-2. On-demand generation of PQC private keys
Another approach to secure the PQC private key involves each device entity generating the private key internally using an embedded PUF, as demonstrated in Figure 4(b). This method provides the strongest security because the private key is not disclosed outside the chip, which is assumed to be in a zero-trust environment. Since the fundamental properties provided by PUF are similar to those of the PQC private key, uniformly and randomly chosen from space, the PUF key can be directly used as the private key if the PQC algorithms do not have additional property requirements.
If the PQC requires specific private key properties, such as fitting into a given lattice size or being prime numbers, we can generate as many PUF bits as the entropy required by the PQC private key and utilize these bits as a seed to generate the PQC private keys . To reap the maximum benefits of using PUF, we suggest avoiding storage of the private key in memories like Flash or OTP since the unique secret key can be generated as needed. This is due to the “on-demand” feature of generating the private key supported by PUF technology. There is no need to store the private key since PUF generates the same key whenever it is requested.
- So, what is the Via PUF technology?
The Via PUF technology is based on the random formation of “Via” or “Contact” during the standard CMOS fabrication process. Unlike traditional processes that aim to meet design rules, the Via PUF technology intentionally reduces the sizes of Vias or Contacts below the required sizes in a controlled way, resulting in unpredictable or stochastic formation of Via or Contact. This technique enables the chip to possess an inherent and unique “inborn ID” property that is comparable to a DNA fingerprint. The PUF ID does not need to be stored, and no injection process is necessary. Additionally, the PUF bits have a resistor-like structure that is not sensitive to environmental stresses such as voltage and temperature variations, eliminating the need for error correction code (ECC) logic. A summary of these characteristics is provided in Table 1 as described in the GSA Forum Article on Via PUF. The technology’s details were first published in 2020  and later in 2022 .
- Importance of Secure Key Management in PQC standardization
To ensure the security of PQC, the standardization should not only focus on safe implementation of algorithms but also include the development of a secure key management system that protects the PQC private key from physical security attacks. A PUF-based key management approach is suggested for this purpose. While PQC algorithms may resist quantum computing attacks, they may not guarantee security in a cryptographic key management system, hence the recommendation to include PUF-based PQC key management methods in the standardization process, utilizing Via PUF technology as the primary foundation for the Root of Trust function.
- PQC Era with passive PUF technology
The adoption of a Root of Trust solution based on passive PUF technology represents an opportune time for businesses to establish a solid foundation for their PQC-era security infrastructure. By leveraging the technical advantages of passive PUF technology, businesses can ensure a high level of security, reliability, and future-proofing for their PQC applications.
- A call to action for PQC business
The two different waves that we will experience today or in the near future can be identified as the emergence of quantum computers and the necessity of zero trust security. From the perspective of digital security, these two waves are interrelated. That is, there is a need for PQC to confront the powerful quantum computers, and a need for Root of Trust solution to protect the private key of PQC within a zero trust environment to ensure the safety of the entire system. The solution that connects these two waves is the Root of Trust solution based on PUF. The solution that provides strong security measures for all future communications is the PQC system that operates with the passive PUF based Root of Trust. Now is the right time to make the call for the PQC business.
I would like to acknowledge Dr. DH Jeon, KC Shin, and BH Kang from ICTK Holdings, and JB Choi from LG Uplus for their invaluable contribution in the writing of this article. This study was also supported by task 2021H1D3A2A02096391 under NTIS assignment #1711141235, LG U+ 2022 PQC national project, LG U+ PUF PQC eSIM and PUF PQC VPN project.
 Alper Kerman (2020), “Zero Trust Cybersecurity: ‘Never Trust, Always Verify’”, Available at https://www.nist.gov/blogs/taking-measure/zero-trust-cybersecurity-never-trust-always-verify
 Roberto Avanzi, Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehle (2021), “CRYSTALS-KYBER Algorithm Specifications And Supporting Documentation (version 3.01)”. Available at: https://pq-crystals.org/kyber/data/kyber-specification-round3-20210131.pdf
 Anton Tutoveanu (2021), “Active Implementation of End-to-End Post-Quantum Encryption”. Available at: https://eprint.iacr.org/2021/356.pdf
 Bill Buchanan (2018), “Public Key Encryption using Learning With Errors (LWE)”. Available at:
 Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler and Damien Stehlé (2021), “CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation (version 3.1)”. Available at: https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf
 Bertrand Cambou, et. al. (2021), “Post Quantum Cryptographic Keys Generated with Physical Unclonable Functions”. Appl. Sci. 2021, 11, 2801. Available at: https://doi.org/10.3390/app11062801
 D. J. Jeon, et al. (2020), “A Physical Unclonable Function with Bit Error Rate < 2.3×10-8 based on Contact Formation Probability without Error Correction Code,” IEEE Journal of Solid-State Circuits, vol. 55, No. 3, pp. 805-816, March 2020.
 D. Jeon, D. Lee, D. K. Kim, and B. D. Choi (2022), “A 325 F2 Physical Unclonable Function Based on Contact Failure Probability with Bit Error Rate < 0.43 ppm After Preselection With 0.0177% Discard Ratio,” in IEEE Journal of Solid-State Circuits, July 2022, doi:10.1109/JSSC.2022.3189351.
About Teddy Kyung Lee | email@example.com | www.ictk.com
Teddy Kyung Lee is an IoT security professional working on bringing security features to network components such as Device authentication, Anti-counterfeiting solutions, and Machine-to-machine authentication. He is recently interested in Hardware Root of Trust solutions using Physically Unclonable Function (PUF) technology extended from his career background in hardware SoC design.
Teddy received a Ph.D. and M.S. degrees in Electrical Engineering from the University of Texas at Austin, and a B.S. degree in Electronics Engineering from Seoul National University, Seoul, South Korea. He worked in IBM Research Lab, Austin, TX, and Sun Microsystems, Sunnyvale, CA, as a circuit designer in microprocessor designs. Thereafter he worked in Juniper Networks, Sunnyvale, CA, and then Altera Corporation, San Jose, CA as a methodology leader. Scouted as an overseas brain by the Korean government, he worked in the development of security SoCs for IoT and M2M-authentication applications. Currently, he serves as a Brain Pool scientist supported by the government, working on developing a low-power Post-Quantum PUF security SoC chip that includes an eSIM function, and an NFC chip for smart card application.