Building an Efficient Side-Channel-Resilient Post-Quantum Root-of-Trust Design

The race to replace RSA and elliptic‑curve keys with NIST‑approved post‑quantum algorithms has moved from theory to implementation. Governments and chip makers are already planning migration paths, and root‑of‑trust (RoT) silicon such as OpenTitan must meet Common Criteria “High” attack potential. In that threat model, a mathematically correct algorithm is insufficient if power or electromagnetic emissions leak secret material. Consequently, side‑channel analysis (SCA) resistance is now a prerequisite for any PQC‑enabled secure‑boot solution today.

OpenTitan tackles the SCA penalty by splitting the workload between a hardened software stack and three purpose‑built accelerators inside the OpenTitan Big Number Accelerator (OTBN). The accelerators implement a shared 32‑bit adder and dedicated Boolean‑to‑Arithmetic and Arithmetic‑to‑Boolean converters, the operations that dominate masked ML‑DSA runtimes. By vectorizing these converters and other arithmetic primitives, the design amortizes multicycle latency across 32‑bit word lanes, shrinking both execution time and code footprint. Early benchmarks show the fully masked ML‑DSA implementation now runs only 2‑4× slower than an unprotected version, a dramatic improvement over the ten‑fold slowdown reported for pure‑software masking.

The hardware‑software co‑design approach positions OpenTitan as a reference platform for future RoT chips that must support both quantum‑resistant cryptography and high‑assurance security certifications. With the planned KMAC‑OTBN interface, randomness generation—a current bottleneck—will move into the accelerator domain, further compressing boot latency and memory usage. As semiconductor vendors integrate these primitives, the industry can meet NIST’s 2030 PQC migration timeline without sacrificing performance, paving the way for widespread adoption of secure‑boot in IoT devices, automotive ECUs, and edge servers.