Case Study

PQC evaluation and integration for industrial gateway on an AMD Zynq UltraScale+

CASE STUDY PQC EVALUATION

PRODUCT

Industrial Gateway

CHALLENGE

The customer’s challenge was to evaluate whether post-quantum cryptography could be integrated into their existing AMD Zynq UltraScale+ based industrial gateway within tight FPGA resource constraints, without degrading performance or disrupting the established functional and data communciation architecture.

RESULTS

The result was a validated ML-KEM hardware prototype on the target FPGA, confirming resource fit and performance while providing a clear, data-driven roadmap for a phased migration to post-quantum cryptography

Industrial-Gateway

The Challenge

A European manufacturer of industrial communication gateways needed to evaluate post-quantum cryptography for their next product generation. The gateway connects field devices to cloud infrastructure and uses ECDH for key exchange. The design runs on a AMD Zynq UltraScale+ FPGA with limited remaining logic resources.

The engineering team had no prior PQC experience. Their questions:

  • Does ML-KEM fit into the remaining FPGA resources alongside the existing design?
  • What is the performance impact on connection setup latency?
  • How is PQC integrated into the exisiting software and OS environment?

The Solution

A structured analysis, prototyping, and benchmarking effort demonstrated that ML-KEM can be efficiently integrated on the target FPGA, leading to a hybrid migration strategy with hardware-based PQC for key exchange, continued use of ECDH in the current generation, and a phased transition to full post-quantum cryptography aligned with IEC 62443 requirements.

Analysis

  • Mapped all cryptographic usage across firmware and communication stack
  • Identified ECDH key exchange as the primary quantum-vulnerable component
  • Assessed available FPGA resources: ~12,000 LUTs and 30 BRAM blocks remaining

Prototyping

  • Integrated KiviPQC-KEM (ML-KEM-768, Tiny variant) on the target Zynq UltraScale+ device
  • Measured resource consumption:
    • ~4000 LUTs
    • 15 BRAM blocks
  • Latency and speed measured and compared against requirements
  • Validated coexistence with existing ECDH-based architecture

Migration Path

  • Phase 1: Deploy ML-KEM for device-to-cloud key exchange (current product revision)
  • Phase 2: Add ML-DSA for firmware signature verification (next product generation)
  • Phase 3: Full PQC migration including certificate chain
  • Provided documentation for customer's IEC 62443 security architecture review

The Results

The customer had a working ML-KEM prototype on their actual hardware after 4 weeks. Resource fit was confirmed, performance requirements were met, and the engineering team had a clear, prioritized migration roadmap. The decision to proceed with hardware-accelerated PQC was based on measured data, not estimates.