Post-Quantum Cryptography is becoming a key building block for future secure systems, as quantum computers threaten widely deployed public-key cryptographic algorithms. In response, the NIST standardization process has selected new quantum-resistant schemes, among which ML-KEM plays a central role for key establishment. Deploying these algorithms efficiently on embedded processors is therefore a critical step toward practical adoption, particularly because embedded systems face strict constraints in terms of computational resources, memory footprint, and energy consumption. At the same time, they are more exposed to physical threats, making resistance to side-channel attacks a key requirement. These constraints make RISC-V especially attractive: its open instruction set and extensibility allow experimentation with software optimizations as well as hardware acceleration for PQC. To explore these aspects, CEA has developed VASCO3, a 22 nm ASIC chip designed to experimentally evaluate PQC implementations and side-channel countermeasures directly on silicon. The chip integrates a RISC-V–based System-on-Chip (SoC) together with several ML-KEM hardware accelerators, enabling the study of different hardware/software partitioning strategies around an embedded RISC-V CPU. In this demonstration, we present a comprehensive exploration of ML-KEM. We first showcase a pure software implementation running on the RISC-V, then progressively introduce hardware acceleration and a fully dedicated ML-KEM accelerator. We also demonstrate protected implementations based on first-order masking, including a masked software version and a masked hardware-assisted design.

This paper provides a quantitative analysis of the costs and benefits of integrating a dedicated hardware accelerator for the Post Quantum Cryptography (PQC) algorithm ML-KEM into a 32-bit RISC-V SoC. We compare a software-only implementation on the CV32E40P core against a full-hardware datapath offloading the entire algorithm. We implemented the system on a 22 nm ASIC chip, and we measured the results: the dedicated hardware achieves a 139x speed-up over the software baseline. This performance gain requires an area overhead of 301 kGE, representing only a 6% increase in the total SoC silicon footprint. This study provides a data-driven assessment of the silicon-to-latency trade-off for Post-Quantum Cryptography (PQC) in resource-constrained RISC-V systems.

The emergence of the open-source RISC-V Instruction Set Architecture has significantly democratized CPU and SoC design across a wide range of applications. By enabling companies to implement and customize their own processor architectures, rather than relying on proprietary solutions from a few vendors, RISC-V allows architectures to be tailored to specific application requirements. However, CPU and SoC development remains complex and demands substantial design and verification expertise. To address this challenge, several academic and industrial reference platforms have been introduced to accelerate RISC-V–based SoC development. This abstract presents ALPES, a versatile SoC platform built around cores from the OpenHW Foundation. ALPES includes an application-class chipset based on the CVA6 processor, as well as multiple secondary chipsets built around the CV32E40P core, targeting safe and secure real-time use cases. ALPES provides a robust, pre-verified foundation for ASIC projects, supporting several research projects focused on the RISC-V ecosystem.