Post-Quantum Trusted Computing: Architectural Approaches, Standardization, and Open Challenges in the Quantum Era

1. Introduction

Platform integrity is a cornerstone of modern cybersecurity, ensuring that a computing system operates as intended, free from malicious subversion. For decades, Trusted Computing (TC) has been the dominant paradigm for establishing this integrity, primarily through hardware-based security components such as the Trusted Platform Module (TPM). The TPM, by enabling functions like measured boot and remote attestation, provides a robust defense against attacks that compromise the foundational layers of a system. However, this established security framework is facing an existential threat from the rapid advancement of quantum computing. Large-scale, fault-tolerant quantum computers, once realized, will be capable of executing algorithms like Shor’s, which can efficiently break the public-key cryptographic algorithms (e.g., RSA and ECC) that underpin TC’s security mechanisms. This vulnerability creates a dire “harvest-now, decrypt-later” scenario, where adversaries can collect vast amounts of today’s encrypted data, store it, and decrypt it effortlessly with future quantum machines. The purpose of this review is to systematically examine the evolution of the Trusted Computing paradigm in the face of this quantum threat. We aim to provide a comprehensive analysis of the transition from classical TC to a new era of Post-Quantum Trusted Computing (PQC-TC). This study synthesizes and critically evaluates the leading research and industry efforts dedicated to this migration, focusing on the proposed cryptographic and architectural solutions. It also identifies the key challenges and open research questions that remain. This paper is structured to provide a clear and logical progression through this complex topic. Section 2 defines the foundational concepts of both Trusted Computing and Post-Quantum Cryptography, highlighting their individual roles and the points of intersection. Section 3 presents a taxonomy of the current PQC-TC approaches, detailing their architectures, advantages, and drawbacks. Section 4 reviews the ongoing standardization efforts and the progress of industry adoption. Finally, Section 5 discusses the critical research gaps and outlines future directions for the field.

2. Foundational Concepts: Trusted Computing and Quantum Security

2.1. Trusted Computing: A Foundational Paradigm for Platform Integrity

Trusted Computing (TC) is a security paradigm that aims to establish and maintain the integrity of a computing platform by grounding trust in hardware-based mechanisms. This approach addresses the inherent vulnerabilities of purely software-based security, which is susceptible to subversion at the operating system or hypervisor level [1,2]. The core tenet of TC is the creation of a hardware-rooted chain of trust, which cryptographically verifies the state of system components from the moment of power-on through the entire boot process. This architecture ensures that the platform’s behavior is predictable and auditable, thereby providing a foundational layer of security for all subsequent software execution. The central component of the TC architecture is the Trusted Platform Module (TPM), a specialized, tamper-resistant microcontroller [3]. The TPM operates in an isolated environment, protecting sensitive data such as cryptographic keys and integrity measurements from both physical and logical attacks. Its primary functions include cryptographic key generation and management, secure storage of platform-specific data, and, most critically, integrity measurement. During the boot sequence, the TPM takes cryptographic hash values of each loaded component—from the firmware and boot loader to the operating system kernel and drivers. These hash values are then securely stored in the TPM’s Platform Configuration Registers (PCRs) [4]. A key application of the TC paradigm is the measured boot process, which implements the chain of trust. This process ensures that each stage of the boot sequence is cryptographically measured and that its integrity measurement is passed on to the next stage. This creates an unforgeable record of the platform’s state, allowing for the detection of any unauthorized modifications or malware that may have been introduced during the boot process. Furthermore, TC enables remote attestation, a protocol that allows a remote party (the verifier) to obtain a verified report of a platform’s integrity status [5]. The TPM signs the PCR values with a unique attestation key, providing irrefutable proof of the platform’s configuration. The verifier can then compare this signed report against a set of known-good configurations to determine if the platform is trustworthy. In summary, Trusted Computing offers a robust, hardware-based solution for platform integrity in an increasingly hostile cyber landscape. By establishing an unchangeable and verifiable root of trust, TC addresses the fundamental problem of how to ensure a platform is in a known, secure state before running critical applications. Its principles are now foundational to a wide array of modern systems, including cloud computing environments, enterprise servers, and mobile devices, making it a cornerstone of contemporary cybersecurity research and practice.

2.2. Post-Quantum Cryptography: Definition and Significance

Post-Quantum Cryptography (PQC) is a field of cryptography that aims to protect today’s most widely used public-key cryptographic systems (e.g., RSA and Elliptic Curve Cryptography - ECC) against attacks from large-scale quantum computers that are expected to be built in the future [6]. Current cryptographic algorithms rely on mathematical problems that are computationally infeasible for classical computers, such as integer factorization and the discrete logarithm problem. However, quantum algorithms like Shor’s algorithm [7] have the potential to solve these problems exponentially faster, rendering these systems completely insecure. The primary goal of PQC is to develop new algorithms based on mathematical hard problems that are not efficiently solvable even by a quantum computer. This is a critical step for ensuring the long-term security of our digital infrastructure, as adversaries can currently employ a “harvest-now, decrypt-later” approach by storing encrypted data today and decrypting it once quantum computers mature. Given this existential threat, a concerted, standardized global migration is required, spearheaded by formal processes such as that initiated by the U.S. National Institute of Standards and Technology (NIST).

2.2.1. The NIST Standardization Process and Prominent Algorithm Families

In 2016, NIST initiated a global post-quantum cryptography standardization process. This process, involving an international community of experts, aimed to identify the most secure and practical PQC algorithms. After years of evaluation, NIST published its first standards in 2024 and selected additional algorithms for future standardization. The prominent algorithms that emerged from this process are categorized into various families based on their underlying mathematical hard problems [8].

2.2.2. Lattice-Based Cryptography

These algorithms rely on the difficulty of solving problems in high-dimensional lattices, such as the Shortest Vector Problem (SVP) or the Closest Vector Problem (CVP). They have emerged as leading candidates in the NIST process due to their general-purpose nature and robust security.

• Advantages: Lattice-based algorithms generally offer high performance and are well-suited for parallel processing. CRYSTALS-Kyber, selected as a standard for key encapsulation (FIPS 203), is a prime example [9]. Its combination of security and low computational overhead makes it ideal for hardware implementations.
• Disadvantages: Most lattice-based schemes have larger key and ciphertext sizes compared to RSA or ECC. This can pose challenges for storage and transmission, particularly for resource-constrained devices (IoT) or in networks with limited bandwidth.

2.2.3. Hash-Based Signatures

These schemes use a data structure known as a Merkle Tree to generate multiple signatures from a single-use key pair. Their security relies on the robustness of cryptographic hash functions, making them quantum-resistant by design.

• Advantages: Hash-based signatures offer provable security against quantum attacks. Algorithms like LMS (Leighton-Micali Signature) and XMSS (eXtended Merkle Signature Scheme) are suitable for long-term archiving and critical infrastructure. Their greatest benefit is that they are better understood and considered lower risk than other PQC families.
• Disadvantages: Their primary drawback is that they are one-time use; a key pair can only be used for a limited number of signatures. Furthermore, signature and key sizes are generally larger when compared to other algorithms.

2.2.4. Code-Based Cryptography

These algorithms are based on the difficulty of problems in the theory of error-correcting codes. The McEliece cryptosystem, proposed by Robert McEliece in 1978, is the oldest and most-studied example in this category [10].

• Advantages: They are considered very reliable due to their long history and strong security profile.
• Disadvantages: The main disadvantage is their extremely large key sizes. For instance, the public key for McEliece can be megabytes in size, which severely limits its practical application. Consequently, they are often considered more suitable for niche applications where very large, long-lived keys can be managed.

2.2.5. Comparative Analysis of PQC Algorithms

A comparative analysis of PQC algorithms against their classical counterparts is crucial for practical integration.

• Key and Signature Size: PQC algorithms generally have much larger key and signature sizes than RSA and ECC. For example, a PQC public key could be kilobytes or even megabytes in size, compared to a few hundred bytes for an ECC key. This has a direct impact on data storage and network transmission.
• Performance Overhead: Most PQC algorithms require more computational resources, especially for signature and decryption operations. While hardware accelerators are being developed to mitigate this overhead, it remains a significant concern for resource-constrained devices.
• Security Guarantees: The security of PQC algorithms is based on mathematical problems that are assumed to be difficult for quantum computers to solve. However, this is a new area of research, and the algorithms do not yet have a proven track record in a post-quantum world. Therefore, organizations like NIST have adopted a cautious approach, classifying security levels as “trial” and “standard.”

3. Approaches and Architectures for Post-Quantum Trusted Computing

The integration of Post-Quantum Cryptography (PQC) into the Trusted Computing (TC) paradigm is not a singular process but rather a multifaceted effort involving various architectural and cryptographic adaptations. This section examines the leading approaches for transitioning to Post-Quantum Trusted Computing (PQC-TC), highlighting the technical challenges and practical implications of each.

3.1. PQC-Embedded TPMs: The Mainstream Approach

The most direct and widely adopted strategy for PQC-TC involves retrofitting existing TPM hardware to natively support post-quantum algorithms [11]. This approach recognizes the need to maintain the established security properties of the TPM while updating its cryptographic core to resist quantum attacks. The primary modifications include both hardware and software updates. On the hardware front, many next-generation TPMs are being designed with dedicated hardware accelerators to manage the increased computational load of PQC algorithms, which are often more resource-intensive than their classical counterparts (e.g., RSA) [12]. On the software side, firmware updates are crucial to enable the use of new PQC primitives for key generation, storage, and cryptographic operations. While this method offers a practical, short-term migration path, it presents significant challenges related to the limited on-chip memory and power budget of current TPMs, particularly for algorithms with large key and signature sizes.

3.2. PQC and Measured Boot

The integrity of the measured boot process is fundamental to establishing a platform’s trustworthiness. In this process, cryptographic hash functions are used to measure the integrity of each boot-time component (firmware, boot loaders, etc.). A key aspect of the PQC transition is updating these hash functions to be quantum-resistant. While existing hash algorithms like SHA-3 are generally considered quantum-resistant, the PQC transition also involves updating the associated digital signatures that verify the integrity measurements [13]. The chain-of-trust mechanism, which relies on a root of trust signing subsequent measurements, must be adapted to use PQC signature schemes. This transition introduces complexities, as the boot environment has strict constraints on code size and performance. Replacing classical signing algorithms with PQC alternatives, such as Dilithium, requires careful optimization to avoid significantly increasing boot times or exceeding the memory capacity of the boot ROM.

3.3. PQC and Remote Attestation

Remote attestation is a critical TC function that allows a remote party to verify a platform’s integrity. The security of this process hinges on the cryptographic signatures used to attest to the platform’s state (as recorded in the PCRs). The PQC transition necessitates a complete overhaul of these attestation protocols to use quantum-resistant signature algorithms. This means replacing the classical keys used by the TPM for signing with a PQC-compatible scheme like Dilithium or a similar NIST-approved candidate [14]. This change brings its own set of challenges. First, the larger size of PQC signatures can increase the data transmitted during the attestation process, potentially impacting network performance, especially in low-bandwidth or latency-sensitive environments. Second, managing the life-cycle of these new, larger attestation keys, from provisioning to revocation, requires new standards and protocols. The transition is complicated by the need for backward compatibility and interoperability with existing attestation verifiers, many of which are not yet equipped to handle PQC-signed data.

4. Standardization and Industrial Developments

The theoretical and architectural transition to Post-Quantum Trusted Computing (PQC-TC) is being rapidly paralleled by critical standardization and commercial efforts. This section examines the key players and processes driving the real-world adoption of PQC within the Trusted Computing ecosystem.

4.1. The NIST Standardization Process

The NIST Post-Quantum Cryptography (PQC) Standardization Process has served as the single most critical catalyst for the migration of cryptographic standards. Its multi-year, open evaluation process provided the necessary confidence and security assurances for a global cryptographic transition [15]. By selecting algorithms such as CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures, NIST has effectively created a common foundation for developers and manufacturers. These selections have profound implications for PQC-TC, as they dictate which algorithms will be integrated into new hardware and software. The industry is now focusing its efforts on optimizing these specific algorithms for performance and resource efficiency, knowing they will be the de facto standards.

4.2. The Role of the Trusted Computing Group (TCG)

As the primary standards body for Trusted Computing, the Trusted Computing Group (TCG) plays a vital role in ensuring that PQC standards are seamlessly integrated into the TPM framework. TCG’s work involves updating the specifications of the TPM 2.0 Library and related modules to accommodate the new cryptographic primitives [16]. A key challenge for TCG is to define how PQC keys will be managed, stored, and used in a manner that maintains the existing security guarantees of the TPM. TCG is exploring methods for hybrid implementations, where a TPM can support both classical (e.g., RSA) and post-quantum algorithms simultaneously, providing a robust path for phased migration and backward compatibility [17]. These standardization efforts are crucial for ensuring interoperability between different vendors’ PQC-enabled TPMs and for allowing organizations to deploy new hardware without disrupting existing infrastructure.

4.3. Commercial Prototypes and Market Adoption

The abstract standardization work is being brought to life through active development by leading semiconductor and security chip manufacturers. Companies like Infineon Technologies, STMicroelectronics, and Microchip Technology are at the forefront of this commercialization. Prototypes of PQC-enabled TPMs have been developed and demonstrated, often featuring hardware acceleration for lattice-based algorithms to minimize performance overhead [18]. These early commercial applications focus on critical infrastructure and embedded systems where long-term security is paramount. For example, PQC-TPM prototypes are being tested in servers for data centers and secure IoT devices to provide a long-term defense against future quantum attacks on boot integrity and secure communication. While widespread adoption is still in its early stages, these commercial developments signal that the transition from a theoretical concept to a practical reality is well underway.

5. Open Research Challenges and Future Directions

While the transition to Post-Quantum Trusted Computing (PQC-TC) is underway, several critical challenges remain unresolved, presenting a rich landscape for future research. This section highlights the key open problems and potential research directions that will define the evolution of PQC-TC in the coming years.

5.1. Performance and Resource Constraints

The most immediate challenge lies in addressing the significant performance overhead and resource requirements of PQC algorithms. Compared to their classical counterparts, PQC schemes generally involve larger key and signature sizes, as well as more intensive computational operations [19]. This is particularly problematic for resource-constrained devices such as those in the Internet of Things (IoT) and embedded systems, where memory, power, and processing capabilities are limited. Future research needs to focus on developing highly optimized hardware accelerators and lightweight software implementations for PQC algorithms. Additionally, novel architectural designs for TPMs are required to accommodate these increased demands without compromising power efficiency or physical security.

5.2. Migration Strategies and Backward Compatibility

A smooth and secure migration from classical TC to PQC-TC is a complex endeavor that lacks a universally accepted strategy. The challenge is to transition a vast installed base of devices and infrastructure without creating vulnerabilities or causing service disruptions [20]. Hybrid cryptographic schemes, which use both classical (e.g., RSA) and post-quantum (e.g., Dilithium) keys for a period of time, have been proposed as a temporary solution. However, questions remain regarding the optimal duration of this hybrid period, the management of two distinct key types, and the security of hybrid protocols against various attacks. Research into new, robust, and automated migration protocols is essential to ensure a phased, interoperable transition for the entire ecosystem.

5.3. Formal Security Models

While PQC algorithms are assumed to be quantum-resistant, their security has not been formally proven in the same way as some classical schemes. The field lacks comprehensive formal security models that can rigorously prove the resilience of entire PQC-TC systems, not just the individual algorithms [21]. Developing such models is crucial for instilling confidence in the new paradigm. Future work should aim to create formal verification frameworks that can analyze the security properties of PQC-enabled measured boot and remote attestation protocols, taking into account new vulnerabilities that may arise from larger key sizes or implementation-specific issues.

5.4. Hybrid Architectures and Quantum Integration

Beyond the PQC approach, there is growing interest in exploring hybrid architectures that combine classical TC with emerging quantum hardware. The integration of Quantum Random Number Generators (QRNGs) could provide true, physical-level entropy to PQC-TC systems, enhancing key generation and integrity measurements [22]. Similarly, leveraging Quantum Key Distribution (QKD) could enable highly secure, long-distance key exchange for remote attestation and secure communication. However, these hybrid models face significant challenges, including the high cost and complexity of quantum hardware, interoperability with classical systems, and the need to address new operational risks. Research is needed to conduct thorough cost-benefit analyses and to standardize the interfaces between classical TPMs and quantum services to explore these promising, albeit distant, possibilities.

6. Conclusions

The digital security landscape is on the cusp of a profound transformation driven by the advent of quantum computing. This review has systematically examined the critical and inevitable evolution of Trusted Computing (TC) into the era of Post-Quantum Trusted Computing (PQC-TC). We have established that while TC’s hardware-based security principles remain sound, its reliance on classical cryptographic algorithms, particularly for key management and digital signatures, makes it fundamentally vulnerable to future quantum attacks. The “harvest-now, decrypt-later” threat is not a distant hypothetical but a present-day reality that necessitates a proactive and coordinated response. Our analysis of the various PQC-TC approaches reveals a clear and pragmatic path forward. While fully quantum-based solutions (e.g., qTPM) are largely theoretical and face significant hardware challenges, the most viable and immediate strategy is the PQC modernization of existing TC infrastructure. This approach, spearheaded by the NIST PQC Standardization Process and actively supported by organizations like the Trusted Computing Group (TCG), focuses on retrofitting current TPM hardware and protocols with new, quantum-resistant algorithms. Despite the challenges of increased key sizes and performance overhead, this method offers the most practical and scalable solution for securing our digital ecosystem in the short to mid-term. Looking ahead, the industry’s trajectory is well-defined. In the near term, we can expect to see a rapid acceleration in the development and deployment of PQC-enabled TPMs and related hardware, as manufacturers align with the newly established NIST standards. The focus will be on optimizing these implementations to mitigate performance penalties, particularly for resource-constrained devices. In the long term, the field will likely evolve towards hybrid architectures that combine the strengths of classical PQC-TC with emerging quantum hardware capabilities, such as Quantum Random Number Generators (QRNGs). However, significant research is still required to establish robust formal security models, develop efficient migration strategies, and address the inherent complexities of integrating quantum and classical systems. Ultimately, the successful transition to PQC-TC will be a testament to the cybersecurity community’s ability to adapt and build a new, resilient foundation for a quantum-ready world.