PQC: Myths vs Facts Archives - BREAKTHROUGH IN HARDWARE SECURITY

Myth 1: “Strong enough quantum computers don’t exist yet, so PQC can wait.”

Fact

Data encrypted today can be stored and decrypted later once quantum computers mature (“harvest now, decrypt later”). 

Sensitive data and long-lived systems must be protected now, not when quantum computers become practical.

FortifyIQ Solution

FortifyIQ enables immediate PQC deployment in software, allowing protection of data and devices already in the field, without waiting for new silicon, secure elements, or hardware redesigns.

This makes it practical to mitigate long-term cryptographic risk today, not years from now.

Myth 2: “PQC is still experimental and not ready for real systems.”

Fact

PQC is standardized and production-ready.

NIST has standardized ML-KEM and ML-DSA, and these algorithms are already being deployed in commercial, industrial, and government systems.

FortifyIQ Solution

FortifyIQ delivers production-grade PQC implementations with validated side-channel and fault injection resistance, suitable for real-world deployment across embedded devices, edge systems, and data centers.

Our libraries are designed for operational environments, not academic prototypes.

Myth 3: “If an algorithm is NIST-approved, it is secure by definition.”

Fact

NIST standardizes algorithms, not implementations.

A mathematically secure PQC algorithm can be completely broken if its implementation leaks secrets through side-channel or fault-injection attacks. PQC algorithms are particularly vulnerable to these attacks.

FortifyIQ Solution

Implementation security, with side-channel and fault injection resistance is our expertise. We adapted the same algorithmic protection techniques used in our certified AES implementations to PQC, extending protection beyond polynomial arithmetic to secure all stages of ML-KEM and ML-DSA.

Myth 4: “Standard masking is enough to protect PQC implementations.”

Fact

Standard share-based masking does not protect all stages of PQC algorithms. Academic research has shown successful attacks exploiting:

- Compression and decompression
- Coding and encoding
- NTT memory access patterns
- Verification logic
- Hashing

In some cases, secret keys were recovered through a side-channel attack with a single power trace. Full-algorithm protection is essential.

FortifyIQ Solution

FortifyIQ’s PQC solutions are designed with inherent resistance to side-channel attacks across all algorithm stages, including those commonly left unprotected by standard masking approaches.

Myth 5: “PQC is too slow or too heavy for real systems.”

Fact

PQC is asymmetric cryptography and is used during key exchange, authentication and signature verification.

With optimized, high-assurance implementations, even software PQC is practical for embedded devices, edge systems, and even data centers, until a protected hardware PQC implementation is integrated and deployed.

FortifyIQ Solution

FortifyIQ’s PQC implementations rely on patented-pending, algorithmic protection techniques rather than add-on countermeasures. This preserves efficiency both in software and hardware implementations, while providing built-in resistance to side-channel and fault injection attacks.The unified API makes the change to hardware PQC very simple, with the same interfaces as the software PQC.

Myth 6: “PQC requires new hardware or secure elements.”

Fact

PQC does not require new hardware.

High-assurance PQC can run securely in software on standard CPUs, including legacy platforms. Hardware acceleration is optional and can be added later if needed for performance and power considerations.

FortifyIQ Solution

Our secure PQC software libraries are ready for immediate deployment, including OTA updates.

A unified software/hardware API allows systems to start with software PQC and migrate seamlessly to hardware when a new silicon design becomes available.

Myth 7: “Only hardware can provide real PQC security.”

Fact

Hardware provides higher fault injection resistance and acceleration, and uses less power. However, well-designed software PQC can already meet high-assurance security requirements, including SCA and FIA resistance.

The optimal approach is software first, hardware when needed… with a unified API.

FortifyIQ Solution

FortifyIQ’s software PQC libraries are validated as side-channel resistant across all algorithm stages and include fault injection resistance, enabling certification at high assurance levels even without dedicated hardware.

The unified API enables seamless transition to hardware when required.

Myth 8: “All PQC implementations offer similar security.”

Fact

PQC implementations vary dramatically in real security. Even where side-channel protection is applied, many protect only the polynomial arithmetic and leave other stages exposed, enabling practical attacks in published research, despite using NIST-approved algorithms.

Security depends on how PQC is implemented, not just which algorithm is used.

FortifyIQ Solution

Our PQC libraries and hardware solutions protect all algorithm stages, are validated against side-channel attacks, resist fault injection attacks, and are designed to be updated in software or firmware as new threats emerge.

Myth 9: “PQC will change completely in a few years anyway.”

Fact

The standardized PQC algorithms are not expected to change, although new algorithms may be standardized. What will evolve are attack techniques. That is why algorithm-aware, updatable PQC implementations must be designed with full knowledge of each algorithm’s internal stages and be updatable in firmware as attacks evolve.

FortifyIQ Solution

FortifyIQ designs both software and hardware PQC with lifecycle security in mind. Our implementations support OTA/FOTA updates of algorithms, parameters, and protections, enabling mitigation of emerging threats and alignment with updated standards without hardware redesign.

Myth 10: “Hybrid cryptography is unnecessary complexity.”

Fact

Hybrid cryptography is essential during the transition period from classical to post quantum cryptography.

Many systems must communicate with legacy devices that still use RSA or ECC. Hybrid schemes ensure secure interoperability while moving toward full PQC adoption.

FortifyIQ Solution

FortifyIQ provides area-efficient hybrid cryptographic solutions in both software and hardware, combining classical algorithms (RSA/ECC) with PQC to support secure communication throughout the transition period, which can take many years.

Myth 11: “PQC is only relevant for government or defense.”

Fact

Harvesting of private data is already happening with the intention of decrypting with post-quantum computers, when they become available. In addition, ECC/RSA will be discontinued in 2030, and forbidden in 2035.

Therefore, PQC is immediately relevant wherever:

Systems have long lifetimes
Data has long-term value
Devices may be physically or remotely attacked

This includes automotive, medical devices, industrial IoT, smart infrastructure, media, and cloud systems.

However, by 2035, all devices with asymmetric cryptography will need PQC.

FortifyIQ Solution

FortifyIQ’s cryptographic software libraries enable immediate PQC deployment on existing devices with minimal RAM and ROM requirements.

A unified software/hardware API ensures a smooth migration to hardware later, at the next tapeout, without changes to the application or security stack.

FortifyIQ Perspective

Post-quantum security is not just about algorithms.
It is about implementation security, migration, and long-term resilience.

FortifyIQ delivers

High-assurance PQC in software and hardware

Full-algorithmic SCA and FIA protection

A single API enabling
smooth SW → HW migration

Updatable configurable solutions designed for future attack evolution