1. Introduction

Every secure connection begins with trust. Whether it's an IoT sensor communicating with the cloud, an ECU authenticating itself in a vehicle network, or industrial controllers exchanging data, the authenticity and integrity of the data is guaranteed by digital signatures. 

Today's systems are under threat because quantum computers will soon be able to crack current RSA and ECC-based security standards. Systems being developed today must already be prepared for this change, especially those with long product life cycles.

Post-quantum cryptography (PQC) is used to counter this threat. ML-DSA (Module-Lattice-based Digital Signature Algorithm, NIST FIPS 204) is the new standard for digital signatures.

This article explains why ML-DSA is important for the future security of embedded systems and what solutions KiviCore offers to enable developers of embedded systems to protect them.

2. Why digital Signatures matter

Digital signatures are important because they ensure that the firmware, data or messages used come from a trusted source. They also ensure that nothing has been tampered. And digital signatures ensure that the sender cannot deny authorship. In cryptography, these features are called authentication, integrity, and non-repudiation.

• Authenticity: Verify that firmware, messages, or data originate from a trusted source.
• Integrity: Ensure that nothing has been altered.
• Non-repudiation: Prevent the sender from denying authorship.

If these functionalities are not implemented in embedded systems, attackers can inject erroneous data. This can have serious consequences for the system and the application.

3. How digital Signatures work today

For decades, algorithms such as RSA (Rivest-Shamir-Adleman) and Elliptic Curve Cryptography (ECC) have been the solution for digital signatures. These algorithms exploit mathematical problems whose solution is computationally impossible even for the most powerful classical computers. 

• RSA: Exploits the difficulty of factoring large prime numbers.

• ECC: Capitalizes on the difficulty of solving the problem of discrete logarithms on elliptic curves.

Both algorithms use a private key, which is kept secret by the signer, and a public key, which can be freely distributed. To sign data, the signer uses their own private key, creating a unique digital signature. Anyone with the corresponding public key can then verify that the signature is valid and that the data has not been altered. This system is called public key infrastructure (PKI) and has been the foundation of our digital security for many years.

4. From classic Signatures to Post-Quantum resilient Signatures

Quantum computers pose a serious threat to today's digital signatures. Once they are powerful enough, they will use Shor's algorithm (quantum computer algorithm that can solve prime factors of an integer in polynomial time) to break RSA and ECC. To address this problem, the global cryptography community, led by NIST, has developed new algorithms for post-quantum cryptography (PQC) based on mathematical problems that are resistant to both classical and quantum attacks. After years of evaluation, NIST has selected several standards. For digital signatures, the primary algorithm is CRYSTALS-Dilithium, formalized as ML-DSA (FIPS 204). Together with ML-KEM (key exchange) and SLH-DSA (hash-based signatures), it forms the NIST PQC standard set.

Worldwide governments, industries, and standardization bodies (ISO, ETSI, IETF) are coordinating migration plans. In Europe, the roadmap targets 2026 for planning, 2030 for securing critical infrastructure, and 2035 for full PQC transition in all industries. 

The PQC requirement is closely related to other cybersecurity standards such as the Cyber ​​Resilience Act (CRA). The CRA requires manufacturers to implement state-of-the-art security measures throughout the entire product lifecycle. As quantum computers are expected to break traditional cryptographic algorithms such as RSA and ECC, PQC is anticipated to become the new state of the art and therefore mandatory.

5. How ML-DSA works

ML-DSA provides quantum-resistant digital signatures based on the difficulty of finding short vectors in module lattices. Its implementation differs significantly from RSA and ECC. The process consists of three main phases:

• Key generation: ML-DSA uses a public and a private key pair, with significantly larger keys. The private key consists of small-norm vectors sampled from a bounded distribution over a module lattice. The public key is derived from the private key via a linear relation involving a public matrix. Recovering the secret from the public key is as hard as solving the Module-LWE problem, which is believed to be infeasible even for quantum computers. From a hardware perspective, key generation requires secure random numbers and matrix-vector multiplications over a polynomial ring.

• Signing: To sign a message, an ephemeral random vector (often deterministically generated) is used, and the message is hashed together with other parameters using SHAKE-256. The algorithm then combines the hash output, the secret vectors from the private key, and the ephemeral randomness to compute the signature. This step involves lots of small-integer polynomial operations inside a modular arithmetic system (a lattice). 
• Verification: To verify a signature, the verifier recomputes a reference value using the public data and checks it against the value contained in the signature.  The verifier uses the public key, message, and signature to reconstruct a challenge value and to verify the consistency of the lattice equations modulo q. If the reconstructed challenge matches the one embedded in the signature and all signature components are within prescribed bounds, the signature is accepted as  valid. This step is less resource-intensive than signing.

ML-DSA comes in several parameter sets, which offer different levels of security. 

• ML-DSA-44: Lowest resource usage, suitable for constrained devices.
• ML-DSA-65: Balanced option, recommended for most use cases.
• ML-DSA-87: Highest security, suitable for long-term protection or high-value assets.

6. KiviPQC IP Core for digital Signatures 

The KiviPQC-DSA is a hardware accelerator implementing the ML-DSA , a post-quantum cryptographic standard defined by NIST FIPS 204. It supports all parameter sets specified in the standard. The IP core is available as a variant for verification of digital signatures only.  This can be ideally used for devices which only need to verify signed data as utilized for secure boot, secure update, data and message authentication, access control and licensing, verification of signed control commands, signed configuration, policy updates or similar.

Easy to integrate 

The integration of the KiviPQC-DSA IP Core into any SoC for FPGA is straightforward. The KiviPQC-DSA IP Core is a LINT-clean, re-usable design and the communication with the host processor is accomplished by an AMBA® AXI4-Lite  interface. A platform-agnostic C API and reference software package simplify software integration and testing. Comprehensive documentation for integration and implementation is included. All KiviCore IP cores are developed in Germany. For evaluation, they are instantly available via online delivery. A fast web support (typically within 8 hours on business days) ensures to move quickly from delivery  to integration, implementation, and evaluation.

Minimal logic utilization

KiviPQC-DSA was built from the ground up for area-constrained and performance-sensitive designs. While PQC implementations often require parallel arithmetic engines and large memories, KiviCore’s design uses sequential computation and optimized logic paths to minimize resource usage without compromising security. As a self-contained engine it has a minimal attack surface by design and offers protection against timing-based side channel attacks. 

KiviPQC-DSA is available in two configurations:

• KiviPQC-DSA-Tiny: Optimized for minimal logic resource utilization
• KiviPQC-DSA-Fast: Optimized for fast processing

7. Conclusion

The shift towards quantum-safe cryptography is inevitable. As quantum computing advances, embedded systems that rely on RSA and ECC will fail to meet security standards set out in new legislation such as CRA. However, with ML-DSA (NIST FIPS 204), designers now have a standardized, quantum-resistant digital signature scheme that will ensure authenticity, integrity, and non-repudiation for the next generation of connected devices.

The KiviPQC-DSA IP Core enables the seamless hardware integration of ML-DSA across FPGAs and ASICs. Its computation architecture, minimal logic utilization, and standard AXI4-Lite interface make it ideal for area-constrained, performance-sensitive designs. Backed by a platform-agnostic software package, comprehensive documentation, and fast technical support, it enables embedded developers to efficiently migrate their systems to post-quantum security standards.

By integrating KiviPQC-DSA, manufacturers not only prepare their products for the quantum era but also ensure long-term CRA compliance and resilience against future cryptographic threats.