Quarc

A secure element built for the post-quantum era.

Hardware-accelerated ML-KEM and ML-DSA on a fully open and auditable RISC-V architecture.

View on GitHub Contact Us
Open Hardware · Apache 2.0 · Post-Quantum Ready
FIPS 203/204
NIST PQC standards
<0.5ms
ML-KEM operations
≥3× faster
vs Cortex-M4 PQC
100% open
Toolchain & RTL
The quantum gap

Every SE shipping today will be broken by quantum computers.

Every Secure Element shipping today relies entirely on classical cryptography — ECC, RSA, AES. Shor's algorithm on a cryptographically relevant quantum computer breaks all of them. NIST finalised post-quantum standards in 2024 (FIPS 203, 204, 205). Regulators in the EU, US and Germany project mandatory PQC adoption in critical infrastructure by 2030.

The IoT devices being deployed today will outlive that window. Quarc closes the gap — hardware-accelerated ML-KEM-768 and ML-DSA-65, packaged with the full SE feature set IoT silicon vendors expect.

Classical SE today Quarc
PQC hardware accelerator None ML-KEM-768 + ML-DSA-65
Hybrid PQC + classical No Yes (v1)
Open auditable toolchain No Yes — Yosys / nextpnr
HDL transparency Vendor-locked Verilog 2005 + sv2v
Migration path to ASIC Locked No RTL rewrite
TEE root-of-trust roadmap No Yes (v3)
Features

Built for quantum-safe trust.

Post-quantum cryptography, hardware-enforced key isolation, and open hardware in one auditable secure element.

Hardware-Accelerated PQC

Dedicated ML-KEM-768 and ML-DSA-65 engines with a shared NTT core. ≥ 3× faster than software PQC on Cortex-M4.

Key Usage Enforcer

Key bytes never leave the secure store. Per-slot policy bits enforced by hardware — firmware cannot read or misuse key material.

Anti-Rollback Secure Boot

Immutable Boot ROM verifies firmware with ML-DSA-65 and checks the hardware monotonic counter. Any failed boot halts the device.

Encrypted Host Channel

SPI channel runs Noise Protocol IK with hybrid ML-KEM-768 + X25519. AES-256-GCM payload encryption with monotonic nonces.

Open & Auditable

100% open-source toolchain — Yosys, nextpnr, SymbiYosys. Verilog 2005 only. Formally verified bus, KUE, and lifecycle FSM.

ASIC-Ready

No FPGA-specific primitives. The same RTL ports to 40 nm / 22 nm FD-SOI — targeting FIPS 140-3 Level 3 and Common Criteria EAL5+.

Architecture

Crypto-first. CPU-second.

Ibex orchestrates. It does not do crypto. Every heavy operation runs in a dedicated, constant-time hardware accelerator.

Quarc SoC (ECP5-85K v1)
Ibex RV32IMC
Wishbone-lite bus · ~200 lines · formally verified
Crypto Engines
ML-KEM-768ML-DSA-65Keccak/SHAKENTT coreTRNG + DRBG
Key Store
KUE (RTL)DMA-only accessNo firmware reads
Boot ROM
Immutable
TRNG Health
SP 800-90B
Lifecycle FSM
One-way · RTL
Rollback Counter
Hardware monotonic
Host Interface
Host MCU
STM32 / ESP32 / any
SPI
Physical interface
Noise IK
ML-KEM-768 + X25519
AES-256-GCM
Payload encryption
How it works

Provision. Verify. Trust.

01

Provision identities

Generate post-quantum keys into isolated hardware-backed storage. Set KUE policy bits per slot — SIGN_ONLY, DECAP_ONLY, NO_EXPORT. Set once, enforced by hardware.

02

Establish secure channels

Any host MCU connects over SPI. The Noise IK channel opens with a hybrid ML-KEM-768 + X25519 key exchange, giving forward secrecy from the first byte.

03

Anchor trust at runtime

Verify firmware, sign messages, and decapsulate keys through the encrypted SPI channel. Every operation enforced by the KUE — the CPU never holds key bytes.

Performance

Hardware beats software. By a wide margin.

Quarc at 50 MHz on ECP5-85K vs pqm4 on Cortex-M4 at 168 MHz. ASIC at 200–400 MHz lifts every figure proportionally.

Operation Quarc target pqm4 · M4 @ 168 MHz Speed-up
ML-KEM-768 KeyGen < 0.5 ms ~1.5 ms ≥ 3×
ML-KEM-768 Encaps < 0.5 ms ~1.7 ms ≥ 3×
ML-KEM-768 Decaps < 0.5 ms ~1.8 ms ≥ 3×
ML-DSA-65 KeyGen < 2 ms ~6 ms ≥ 3×
ML-DSA-65 Sign < 5 ms ~12 ms ≥ 2×
ML-DSA-65 Verify < 2 ms ~5 ms ≥ 2×
Security Model

Hardware enforces. Firmware orchestrates.

Quarc assumes firmware can fail. Every security-critical guarantee is enforced directly in RTL — not in software.

No key exposure
Key bytes never appear on the system bus — DMA from key store into engine registers only.
Lifecycle enforcement
MANUFACTURING → PROVISIONED → LOCKED → RMA. One-way FSM in RTL — state never decreases.
Immutable secure boot
Boot ROM is hardwired. ML-DSA firmware verification and rollback check run before any firmware executes.
Constant-time crypto
No secret-dependent memory access or timing behavior anywhere in the hardware engines.
Zeroized scratchpads
Sensitive intermediate values cleared automatically in RTL after every cryptographic operation.
Replay-proof interface
Noise IK with strictly monotonic nonces. Replayed commands are rejected before decryption.

Key Usage Enforcer (KUE)

Per-slot policy bits set at provisioning, enforced by hardware on every operation.

Policy bitMeaning
SIGN_ONLY Slot usable only for ML-DSA signing
DECAP_ONLY Slot usable only for ML-KEM decapsulation
NO_EXPORT Key bytes never leave the key store
NO_OVERWRITE Slot cannot be re-provisioned
COUNTER_LIMIT Use-count cap — operation blocked when reached

Device lifecycle

State transitions are one-way and irreversible. The FSM is implemented in RTL — no firmware path can return to an earlier state.

MANUFACTURING
PROVISIONED
LOCKED
RMA

Every SPI command is permission-gated against the current state.

Use cases

Where quantum-safe trust matters.

IoT Root of Trust

Quantum-safe device identity, signed OTA updates, secure boot with rollback protection, and fleet attestation.

IoTOTADevice Identity

Industrial & Infrastructure

Energy, transport, and water systems — long-lived devices that will outlive the classical PKI window.

IndustrialCritical InfrastructureLongevity

Automotive & V2X

ML-DSA-signed messages, attested firmware, and quantum-safe key provisioning across the OEM supply chain.

AutomotiveV2XOEM

Confidential Computing

PQC attestation reports and sealing keys for confidential VMs — anchoring post-quantum trust in cloud and edge platforms.

TEEConfidential ComputingCloud
Roadmap

Built for the next decade of secure computing.

v1 FPGA Prototype Current
  • ULX3S · ECP5-85K FPGA
  • Hardware-accelerated ML-KEM-768 + ML-DSA-65
  • Key Usage Enforcer (KUE)
  • Device lifecycle FSM (RTL)
  • Anti-rollback secure boot
  • Noise IK encrypted SPI channel
  • 100% open-source toolchain
v2 Hardened SE (ASIC)
  • Silicon PUF — hardware-rooted identity
  • Real OTP / NVM for persistent key storage
  • Active tamper detection (voltage, temperature, light, EMP)
  • Boolean-masked NTT for side-channel resistance
  • SLH-DSA (FIPS 205) hash-based signatures
  • Common Criteria EAL4+ certification path
  • FIPS 140-3 Level 3
v3 TEE Root of Trust
  • PQC attestation reports for confidential computing
  • Sealing keys bound to firmware measurement
  • Quantum-safe key migration between devices
  • PCIe or I3C platform interface
  • Targets: AMD SEV-SNP · Intel TDX · Arm CCA
FAQ

Common questions.

What is a post-quantum secure element?

A secure element designed to resist attacks from future quantum computers. Classical SE cryptography — ECC and RSA — is broken by Shor's algorithm on a cryptographically relevant quantum computer. Quarc replaces those with NIST-standardised ML-KEM (FIPS 203) and ML-DSA (FIPS 204) running in dedicated hardware accelerators.

How does the Key Usage Enforcer work?

The KUE is a small RTL policy engine between the key store and the crypto engines. Per-slot policy bits (SIGN_ONLY, DECAP_ONLY, NO_EXPORT, NO_OVERWRITE, COUNTER_LIMIT) are set at provisioning and enforced by hardware on every operation. Key bytes DMA directly into engine registers — they never appear on the main bus. A firmware call requesting DSA_SIGN on a DECAP_ONLY slot is rejected by RTL, not software.

What does 100% open toolchain mean?

Every byte of the Quarc bitstream is produced by open-source tools: Yosys for synthesis, nextpnr-ecp5 for place-and-route, sv2v for Ibex SystemVerilog conversion, SymbiYosys for formal verification, and Icarus Verilog / Verilator for simulation. No proprietary EDA in the synthesis path. The bitstream is reproducible from the published RTL.

Is Quarc production silicon?

Quarc v1 targets FPGA prototyping on the ULX3S (ECP5-85K). The v2 roadmap targets an ASIC at 40 nm or 22 nm FD-SOI — no RTL rewrite required. v3 extends to a TEE root-of-trust for confidential computing platforms.

Can Quarc integrate with existing MCUs?

Yes. Any host MCU — STM32, ESP32, or your own — drives Quarc over SPI. The encrypted Noise IK channel opens with a CHANNEL_INIT command. From the host's perspective, Quarc is an SPI peripheral that handles all post-quantum cryptography.

Why does post-quantum security matter now?

Devices deployed today may still be operating when quantum attacks become practical. NIST finalised PQC standards in 2024. EU and US regulators project mandatory PQC adoption in critical infrastructure by 2030. Quarc closes the gap so devices deployed today aren't vulnerable at end-of-life.

Get started

Prepare your systems for the post-quantum decade.

Open, auditable, hardware-enforced trust for next-generation connected systems. Talk to us about evaluation kits, ASIC partnerships, and OEM silicon programmes.

Contact Us GitHub