Nuvoton NuMicro® M2354 Achieves Post-Quantum Cryptography: A Deep Dive into ML-KEM on MCU

恒森科技 Jul 01, 2026
NuvotonM2354Post-Quantum CryptographyML-KEMCortex-M23TrustZonePSA CertifiedIoT Security
Nuvoton has announced that its NuMicro® M2354 series has successfully implemented post-quantum cryptography based on the open-source MicroPQC framework.

Introduction: Why IoT Security Must Evolve for the Quantum Era

In August 2024, NIST finalized its first three Post-Quantum Cryptography (PQC) standards: FIPS 203 ML-KEM (key encapsulation), FIPS 204 ML-DSA (digital signatures), and FIPS 205 SLH-DSA (hash-based signatures). These mark the beginning of the end for RSA and ECC, the public-key algorithms that have anchored internet security for over two decades. A sufficiently powerful quantum computer running Shor's algorithm could break them in polynomial time.

For resource-constrained IoT endpoints, the challenge is acute. PQC algorithms rely on large-integer matrix arithmetic and Merkle tree structures, with key and signature sizes far larger than ECC. Running them efficiently on Cortex-M-class MCUs has been the central engineering question for the global embedded security community over the past two years.

In June 2026, Nuvoton announced that its NuMicro® M2354 series has successfully implemented PQC based on the open-source MicroPQC framework, becoming one of the first Asian MCU platforms to ship ML-KEM on a production Cortex-M23 device. This article unpacks the technical and commercial implications of that milestone.

What Happened: M2354 Achieves Quantum-Readiness

According to CTIMES, the key facts of the announcement are:

  • Ported the open-source MicroPQC framework onto NuMicro® M2354 with full ML-KEM implementation;
  • Combined with Arm® TrustZone® hardware isolation and PSA Certified / SESIP Level 3 protection;
  • Deeply tuned the NTT (Number Theoretic Transform) for Cortex-M23, achieving roughly 30% reduction in cycle count versus generic reference implementations;
  • Through aggressive memory optimization, kept ML-KEM-768 RAM footprint below 12KB;
  • Supported both global PQC standards and localized Korean cryptographic requirements (KS algorithm family).

Nuvoton positions M2354 as a "Quantum-Ready" platform—customers can layer PQC capabilities onto existing M2354 designs without replacing hardware, ensuring a smooth migration to the post-quantum era.

Technical Breakdown: Why M2354 Can Run PQC

The core bottleneck for PQC on embedded devices is the combined pressure of compute and memory. Three dimensions explain M2354's breakthrough.

(1) Algorithm Selection: Why ML-KEM First

NIST's choice of ML-KEM (formerly CRYSTALS-Kyber), a lattice-based scheme, is more MCU-friendly than alternatives like Falcon (NTRU-based) or SPHINCS+ (hash-only) for three reasons:

  • Compute pattern: Core operations are NTT matrix multiplications—no floating point, no complex sampling—predictable on fixed-point MCUs;
  • Key sizes: ML-KEM-768 public key is ~1184 bytes, ciphertext ~1088 bytes, both fit comfortably in MCU Flash;
  • Side-channel friendliness: Mature constant-time implementation paths ease TVLA validation.

These properties made ML-KEM the de facto first PQC algorithm to ship on MCU-class hardware. Nuvoton's choice of ML-KEM-768 as the initial security level reflects exactly this engineering judgment.

(2) Memory Optimization: How 12KB RAM Was Achieved

ML-KEM-768's polynomial operations involve large temporary vectors across multiple 256-coefficient polynomials. Generic implementations often demand 20-30KB of heap. M2354 takes three approaches:

  1. Static allocation: Compile-time constants pin NTT buffers into BSS, eliminating malloc fragmentation;
  2. In-place NTT: Input and output share the same buffer, halving peak usage;
  3. Stack reuse: Schoolbook multiplication and NTT transforms share stack frames where variable lifetimes do not overlap.

End result: full ML-KEM-768 keygen / encaps / decaps runs in under 12KB of RAM on Cortex-M23's 256KB SRAM, leaving ample headroom for RTOS and application protocol stacks.

(3) Performance Tuning: Where the 30% Cycle Reduction Comes From

NTT dominates ML-KEM compute time (60-70% of cycles). M2354's optimization paths include:

  • Inlined Montgomery multiplication: Eliminates function call overhead and is pipeline-friendly;
  • Unrolled butterfly operations: Seven-layer loops manually expanded into sequential instructions, reducing branch mispredictions;
  • Precomputed twiddle factors (zeta): Stored as Flash constants, read-only at runtime.

End-to-end keygen + encaps + decaps cycle count drops by approximately 30% versus generic reference implementations, translating directly to shorter handshake latency and lower power consumption—critical for battery-powered IoT nodes.

(4) Hardware Foundation: TrustZone + PSA/SESIP L3

Software-layer PQC only replaces the cryptographic algorithm. Real device security depends on where private keys live in silicon and who can access them. M2354's hardware security stack includes:

  • Arm TrustZone: Partitions Flash and RAM into Secure and Non-Secure Worlds; PQC private keys and bootloaders reside in the Secure World;
  • PSA Certified Level 3: Lab-certified resistance against 30+ attack vectors including side-channel, fault injection, and firmware rollback;
  • SESIP Level 3: A lightweight security evaluation scheme tailored for IoT, complementary to PSA L3 and directly recognized by EU regulations like ETSI EN 303 645.

The three layers together mean M2354 not only "computes PQC" but also "continuously protects PQC private keys in physically adversarial environments"—the real pain point for industrial, automotive, and medical device customers.

Why HSY Customers Should Care

PQC is not a "wait until quantum computers arrive" topic; it is a compliance obligation with a clear timeline:

  • NIST has published FIPS 203/204/205 and requires federal agencies to complete migration before 2030;
  • The EU's Cyber Resilience Act (CRA), in force from 2027, mandates "appropriate cryptographic strength" for connected products, with PQC as the explicit path;
  • China's MIIT launched PQC standardization work in 2024, with finance, government, and V2X leading adoption.

For OEMs, evaluating PQC today costs 5-10× less than waiting three years: the former layers software onto existing platforms, while the latter typically requires MCU or even host controller replacement.

HSY Perspective

The M2354 + MicroPQC milestone means three concrete things for HSY's customer base:

  • Smooth upgrade for in-production designs: Customers already using M2354 in IoT gateways and sensor nodes can add PQC capabilities through OTA firmware updates, without respinning PCBs—dramatically lowering migration cost;
  • "Quantum-Ready" as a differentiator for new projects: In long-lifecycle products (7-10 years) such as vehicle T-Boxes, smart meters, and medical devices, "quantum-resistant out of the box" is a hard compliance requirement when selling into EU and North American markets;
  • HSY delivers end-to-end support: From M2354 evaluation board loans, MicroPQC porting consulting, PQC integration with existing TLS/DTLS stacks, to pre-assessment for PSA/SESIP certification.

Post-quantum is not the future tense—it is the present continuous. HSY recommends customers open their PQC evaluation window in the second half of 2026 and put "quantum-ready" on the checklist for next-generation product designs.

Sources

  • CTIMES: "Quantum Security Milestone: Nuvoton NuMicro® M2354 Successfully Implements Post-Quantum Cryptography", 2026-06-11
  • NIST FIPS 203/204/205, released August 2024
  • Arm PSA Certified Level 3 and SESIP Level 3 evaluation frameworks
  • EU Cyber Resilience Act (CRA) 2024 text