Post-Quantum Architectures for Automotive Secure Modules
We first provide an introduction to the different classes of PQC algorithms. Second, we provide a detailed case study on a typical automotive scenario which covers the typical use cases of modern HSMs. A. Post-Quantum Cryptography There are five popular classes of PQC algorithms: hashbased, code-based, lattice-based, multivariate, and isogenybased cryptography. Each of the classes is based on a different mathematical problem that is hard to be solved by both modern computers and quantum computers. These schemes differ in the size of the keys and messages, the efficiency, as well as the trust in their security analysis, etc.
1) Code-Based Cryptography: Most code-based encryption schemes are based on the McEliece cryptosystem which was first proposed in 1978  and its instantiation using binary Goppa codes remains secure nowadays. However, one main issue in the McEliece cryptosystem is the large size of the public key. Even for its dual-variant, the Niederreiter cryptosystem  which introduced a trick to compress the public key, the size of the public key is still over 1MB when targeting 128-bit post-quantum security level. Some research efforts have been focused on reducing the size of the keys by incorporating structures into the code, e.g., by use of quasicyclic codes. Two of such schemes based on structured codes namely BIKE  and HQC , have made to the 3rd round of the NIST PQC standardization process.
2) Hash-Based Cryptography: Hash-based signature schemes are considered very mature as its security fully relies on the properties of the underlying hash function which is well-understood. XMSS  and LMS  are two popular stateful hash-based signature schemes that are under NIST’s consideration to be standardized early as part of the postquantum cryptography development2 . Therefore, hash-based signatures are promising candidates as post-quantum secure signature schemes.
3) Lattice-Based Cryptography: Lattice-based cryptography is arguably the most popular among different PQC families. Its security is based on different types of hard problems defined on a high-dimensional lattice, e.g., “learning with errors (LWE)”, “shortest vector problem (SVP)”, etc. Similar to code-based schemes, lattice-based schemes based on generic lattices  are generally more confidence-inspiring while those based on ideal (structured) lattices  have much smaller keys and better performance. However, choosing security parameters for lattice-based schemes has always been challenging as their security against quantum-computer attacks is not yet well-understood nowadays .
4) Multivariate Cryptography: Multivariate cryptography is based on the hardness of solving a multivariate quadratic system of equations over a finite field, which is an NP-hard problem. Although the security of multivariate cryptosystems is well analyzed, it is not an easy task to construct such a scheme both securely and efficiently. Many schemes have been proven insecure over the last decade. Few of them focused on signature schemes (e.g., , ) remain secure nowadays.
5) Isogeny-Based Cryptography: Isogeny-based cryptography is the youngest family among all the PQC candidates which was initially proposed as an encryption scheme in 2006 . The construction of an isogeny-based scheme is based on the hardness of finding a high-degree supersingular isogeny between two elliptic curves. This brings the advantage that isogeny-based schemes can partly inherit the arithmetic from classical ECC schemes. However, the efficiency of the isogeny-based candidates is not very competitive especially when compared with structured lattice-based schemes. Moreover, due to the novelty of isogeny-based problems, there is not yet enough confidence in these schemes.
IV. HARDWARE ARCHITECTURES OF PQC HSM
In this section, we focus on the discussions of designing an HSM for applications in the automotive domain. As a design reference we focus on the HSM definition given in the EVITA project4 . Figure 1 depicts a typical architecture of an EVITA like HSM. Since EVITA medium and EVITA light are subsets of a EVITA full HSM, the analysis on these smaller HSMs can be done similarly. From now on we will refer to EVITA full HSMs as modern HSMs. A. Modern HSMs A modern full HSM typically includes the following cryptographic building blocks , as summarized in Table I: • SHA2–256, used as a general-purpose hash function as an alternative to the originally proposed WHIRLPOOL.
• (AES-128, all), used for symmetric cryptographic operations including: Key generation, encryption and decryption, as discussed in Section II-B, this block is required for SecOC. • TRNG, used as a true random number generator (TRNG). The digital entropy is collected from the variances in the hardware, e.g., in a ring oscillator based TRNG, jitter between digital ring oscillators are collected. • (AES-128, enc), used as a pseudo random number generator (PRNG). This PRNG is usually seeded by a TRNG and expands the randomness by use of an AES engine which only supports the encryption operation. • ECC-256, used for 256-bit elliptic curve arithmetics in an asymmetric cryptosystem. Once big quantum computers are available, such an HSM is no longer secure: The security of ECC-256 is fully compromised due to Shor’s algorithm  while the securities of SHA2–256, (AES-128, all) and (AES-128, enc) are halved due to Grover’s algorithm . To ensure that an automotive HSM stays safe even against quantum computers, post-quantum secure asymmetric primitives should be used to replace ECC256 and at the same time, symmetric primitives and hash function with doubled security should be used.
PQC HSMs In a post-quantum secure HSM (PQC HSM), hash function and symmetric cryptographic primitives are all chosen such that they can maintain a 128-bit security level against quantum computers for both medium and high security levels in order to be more conservative. For asymmetric cryptographic primitives, much more radical changes are needed: Fully different cryptographic blocks are needed to build a PQC HSM compared to those needed in modern HSMs. Table I and Figure 2 summarizes the HSM solutions we proposed targeting medium and high security levels respectively. The following cryptographic blocks are recommended for a PQC HSM:
• SHA3–512, used as a general-purpose hash function. SHA3–512 is part of the SHA-3 standard released by NIST in 2015  and its structure is internally different from the SHA-2 standard. SHA-3 is a subset of the broader cryptographic primitive family Keccak and uses the sponge construction in its inner construction while SHA-2 is based on the MD5-like structure.
• (AES-256, all), used for symmetric cryptographic communications. It has the same purpose as (AES-128, all), but with doubled security level.
- (AES-256, enc), used for constructing a PRNG.