Interview: Post-Quantum Cryptography and the Future of Embedded Security
On December 3, 2025, Elektor is hosting a conference on post-quantum cryptography and its significance for embedded and IoT systems. Ahead of the event, we spoke with Roland Marx (left) and Johann-Philipp Thiers (right), both working for Swissbit, about Secure Elements and Supply Chain Protection in context of PQC.
Alexander Neumann: Why are older or existing embedded devices particularly vulnerable to quantum-computer threats?
Roland Marx: Older or existing embedded devices are at a significant disadvantage when defending against post-quantum threats. Many of them lack specialized security hardware such as trusted execution environments or trusted platform modules. They often run on constrained resources, have long lifecycles, and support only limited or no update mechanisms — especially in industrial IoT environments where devices operate for 10 to 20 years or more.
Johann-Philipp Thiers: In addition, upgrading entire PKI infrastructures and replacing existing device keys is challenging. Embedded devices frequently rely on outdated communication protocols, limited data budgets, or networking stacks that cannot easily be upgraded to support post-quantum-secure mechanisms. As a result, outdated cryptography may remain in use long after it is considered insecure.
Neumann: Which use cases are particularly relevant for retrofitting with PQC?
Thiers: Retrofitting with post-quantum cryptography is especially relevant in scenarios that depend on PKI, device identities, key exchange, or secure communication protocols. This includes networked devices, industrial controllers, ECUs, robots, or any system that relies on public-key encryption or signature verification.
Additionally, use cases involving secure boot or the establishment of a trustworthy hardware root of trust are critical. These mechanisms ensure firmware integrity and authenticity — and thus must remain resilient even when classical asymmetric cryptography becomes vulnerable to quantum attacks.
Neumann: You will present two approaches: PQC-ready secure elements and protection of firmware in the supply chain. How do these work in practice?
Thiers: One important aspect is crypto agility: post-quantum algorithms will evolve, and recommended algorithms may change again in the future. PQC is not a “one-time transition” but an ongoing process.
- PQC-ready secure elements: If a device’s security architecture relies on an external secure element, this component can be replaced relatively easily with a new, hardened version that supports updated algorithms. Especially when secure elements are available in common form factors such as USB, SD, or SSD, hardware upgrades can be introduced without redesigning the entire device.
- Protecting firmware integrity in the supply chain: A major challenge for many embedded devices is that their secure-boot logic is implemented in mask-ROM. Updating mask-ROM requires new silicon masks — a costly and time-consuming process. A practical alternative is to offload the verification of post-quantum signatures to an external PQC-ready secure element. This element verifies the firmware signature and releases cryptographic keys only when the firmware is authentic, ensuring long-term product integrity without modifying the device’s internal ROM.
Neumann: What are the challenges of integrating PQC into existing storage products?
Marx: Embedded devices can often switch to dedicated secure-element controllers, but flash-storage products such as SSDs are typically monolithic. Their cryptographic functions — for example, the mechanisms used to verify controller firmware — are tightly integrated into the controller architecture and therefore difficult to update. Adapting an SSD controller to support entirely new PQC algorithms is a major engineering effort.
Storage controllers generally have limited computational resources and rely heavily on hardware acceleration. Integrating new PQC hardware IP blocks into these controllers requires long development cycles before such solutions can reach the market.
To overcome this, we are developing SSDs that combine NAND flash, a flash controller, and a modern secure-element–grade security controller within the SSD, SD or e.MMC module. By outsourcing PQC-related operations to this dedicated and hardened component, we avoid depending on the flash controller MCU to implement PQC directly. This design also enables future crypto agility, as the secure element can evolve independently of the flash controller.
Neumann: Is there a kind of “best practice” or framework that can help companies with PQC retrofitting?
Marx: There is no dedicated PQC-retrofitting framework yet, but crypto agility is the core principle. Systems must remain capable of:
- replacing cryptographic algorithms over time,
- migrating from one PQC standard to the next, and
- updating or exchanging hardware components that hold sensitive key material.
In some cases, designing systems with replaceable secure elements or modular security components is the most effective strategy — not only for PQC migration but also for lifecycle management and long-term support.
A practical example is a replaceable secure element that resides on an SSD or other removable storage product. Because this component contains the cryptographic logic and key material, swapping the storage device effectively updates the system’s security capabilities without redesigning the underlying hardware.
Neumann: How do you assess the industry’s willingness to make existing systems fit for PQC?
Thiers: If PQC migration requires a complete hardware redesign, industry willingness is likely to remain low. Companies hesitate to re-engineer stable systems solely for cryptographic reasons — especially if this involves downtime, certification updates, or costly redesigns.
However, when retrofitting can be achieved by simply exchanging a security module — for example, a secure element, SD card, or SSD with integrated PQC-ready hardware — acceptance is much higher. Retrofitting reduces cost, risk, and operational impact, offering a pragmatic path to post-quantum readiness.
Neumann: How can storage products help with lifecycle and supply-chain security?
Marx: Many systems ship with sensitive material already embedded — for example, keys used for onboarding, symmetric fallback keys for worst-case scenarios, or transport-lock mechanisms. PQC-ready secure storage devices allow these keys to be stored in protected hardware from the beginning and ensure that even decades-old devices can later authenticate updates securely.
This becomes essential when verifying that an update is communicated with the real device — not a clone introduced by an attacker.
For more information on Elektor’s online conference “Post-Quantum Cryptography” on 3 December, see the conference website.
Editor’s note: eeNews Europe is an Elektor International Media publication.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
