Paper 2024/112

pqm4: Benchmarking NIST Additional Post-Quantum Signature Schemes on Microcontrollers

Matthias J. Kannwischer, Quantum Safe Migration Center, Chelpis Quantum Tech, Taipei, Taiwan
Markus Krausz, Horst Görtz Institute for IT Security, Ruhr University Bochum, Bochum, Germany
Richard Petri, Max Planck Institute for Security and Privacy, Bochum, Germany
Shang-Yi Yang, Quantum Safe Migration Center, Chelpis Quantum Tech, Taipei, Taiwan

In July 2022, the US National Institute for Standards and Technology (NIST) announced the first set of Post-Quantum Cryptography standards: Kyber, Dilithium, Falcon, and SPHINCS+. Shortly after, NIST published a call for proposals for additional post-quantum signature schemes to complement their initial portfolio. In 2023, 50 submissions were received, and 40 were accepted as round-1 candidates for future standardization. In this paper, we study the suitability and performance of said candidates on the popular Arm Cortex-M4microcontroller. We integrate the suitable implementations into the benchmarking framework pqm4 and provide benchmarking results on the STM32L4R5ZI featuring 640 KB of RAM. pqm4 currently includes reference implementations for 15 submissions and M4-optimized implementations for five submissions. For the remaining candidates, we describe the reasons that hinder integration - the predominant reason being large key size or excessive memory consumption. While the performance of reference implementations is rather meaningless and often does not correlate with the performance of well-optimized implementations, this work provides some first indication of which schemes are most promising on microcontrollers. The publicly available implementations in pqm4 also provide a good starting point for future optimization efforts. Initially, we were hoping for a much higher code quality than for initial submissions to NIST's previous PQC project. However, we got grossly disappointed: Half of the submissions make use of dynamic memory allocations, often completely without reason; Many implementations have compiler warnings, sometimes hinting at more serious issues; Many implementations do not pass simple sanitizer tests such as using valgrind; Multiple implementations make use of static memory.

Available format(s)
Publication info
pqm4NISTPQCArm Cortex-M4microcontrollersbenchmarking
Contact author(s)
matthias @ kannwischer eu
markus krausz @ rub de
rp @ rpls de
nick yang @ chelpis com
2024-01-26: approved
2024-01-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Matthias J. Kannwischer and Markus Krausz and Richard Petri and Shang-Yi Yang},
      title = {pqm4: Benchmarking NIST Additional Post-Quantum Signature Schemes on Microcontrollers},
      howpublished = {Cryptology ePrint Archive, Paper 2024/112},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.