ST recently released its first post-quantum cryptographic library package, X-CUBE-PQC, ensuring STM32 microcontrollers are ready to pass the latest security certifications that will protect users against attacks running on quantum computers. The software package works in conjunction with X-CUBE-CRYPTOLIB, a firmware library that implements extensive security features on STM32, including encryption and decryption algorithms. In the case of X-CUBE-PQC, it will offer updated algorithms certified by the cryptographic algorithm validation program of the National Institute of Science and Technology to ensure that encryption, hashing, authentication, or signing operations remain future-proof as quantum computers become more capable.
Why PQC already matters?
Algorithms are already compromised
In 2024, avid readers will remember that we talked about Quantropi, a member of the ST Partner Program that brings PQC to STM32 devices. More recently, at Embedded World 2025, we featured a demo showing how developers could set up an end-to-end encrypted communication system on AWS that supported post-quantum cryptographic solutions. In a nutshell, embedded systems are increasingly adopting PQC, while regulators in Europe and America are starting to demand that IoT solutions be quantum-resistant. Decision-makers are feeling even more pressure to protect their products, mainly because of the paradox that attacks by quantum computers do not require a quantum response.
Solutions are already in place
On the one hand, no one knows when quantum computers will be mainstream enough to be a threat to cryptographic schemes in use today, but many expect this to happen within a few years. However, post-quantum cryptography runs on a classical processor and does not require a quantum computer. By fortifying algorithms and tweaking key handling while also increasing their length, it is possible to protect systems against quantum attacks by using just a microcontroller, in some cases. PQC does come with some performance penalty and increased memory needs. On the other hand, this can be mitigated by offering a mix of PQC and classical cryptography, for instance.
X-CUBE-PQC already helps
It’s for this reason that ST released X-CUBE-PQC. It helps developers implement PQC on our STM32 devices more efficiently. It addresses some of the development complexities and leverages the STM32 cryptographic accelerator to mitigate the performance penalty. In a nutshell, it makes PQC on embedded systems more accessible by lowering the barrier to entry. Even developers with little experience in PQC or cryptography, in general, can efficiently utilize our library to future-proof their applications. As embedded systems must often remain operational for decades, developers must protect their code, data, and users against future threats, especially those that the industry is already aware of.
How are we helping embedded systems?
LMS
X-CUBE-PQC first got support for the Leighton-Micali signature (LMS). Its public key may be as small as 64 bytes, and it relies on hashing operations. It doesn’t require operations with large integers, thereby minimizing any performance penalty and making it a great candidate for microcontrollers. In broad terms, the algorithm utilizes a Merkle tree, where the leaves contain one-time signatures, the branches store hashes, and the root holds the public key. Hence, the algorithm creates a one-time signature and then verifies its integrity by going through the tree to determine whether it obtains the public key or not.
ML-KEM and ML-DSA
LMS is thus an excellent algorithm for signing firmware and other secure boot images, as one public key can generate numerous one-time signatures. ST also recently implemented ML-KEM (FIPS-203), ML-DSA (FIPS-204), and XMSS. ML stands for Module Lattice, meaning that they rely on finding lattices, or a set of independent vectors. This mechanism offers an excellent compromise between security and performance. The Key Encapsulation Mechanism (KEM) replaces algorithms like ECDH or RSA to optimize key exchanges, while the Digital Signature Algorithm (DSA), which replaces ECDSA and RSA, will sign firmware and other critical pieces of code. Both are certified by the Cryptographic Algorithm Validation Program (CAVP).
The ST advantage
By implementing these algorithms on STM32 MCUs, ST can support the entire cryptographic chain, from key generation and installation at the factory to its secure use by various software and the acceleration of the algorithm itself. It is, therefore, in a unique position, as few companies control both hardware and software like we do. As a result, we also work closely with the National Institute of Standards and Technology and have even developed the Keccak algorithm that plays a role in ML-KEM and ML-DSA. Consequently, developers can expect future versions of X-CUBE-PQC to enhance their resistance against quantum attacks as they benefit from our evolving ecosystem.
