Trusted Platform Modules (TPMs), which serve as the root of trust in secure systems, are secure crypto-processors that carry out cryptographic primitives. Should large-scale quantum computing become a reality, the cryptographic primitives adopted in the TPM 2.0 standard will no longer be secure. Thus, the design of TPMs that provide Quantum Resistant (QR) primitives is of utmost importance, in particular with the restrictions imposed by embedded systems. In this paper, we investigate the deployment of QR primitives and protocols in the standard TPM 2.0. Cryptographic algorithms that are already in the NIST QR cryptography standardization process, as well as an Oblivious Transfer (OT), a fundamental cryptographic primitive, are the QR cryptographic schemes selected to extend TPM 2.0. In particular, the Kyber algorithm for key encapsulation, the Dilithium algorithm for digital signature, and a 3-round Random Oblivious Transfer (ROT) protocol, supporting protocols such as Multi-Party Computation and Private Set Intersection (PSI). The QR extended TPM 2.0 is implemented in ARM and RISC-V embedded processors, its computational requirements are analysed and experimentally evaluated in comparison to the standard TPM. It is shown that Kyber and Dilithium are faster at creating keys than RSA, due to the key size and secure random sampling required in RSA, while they meet the same performance level as ECC. For digital signatures, both in signature creation and verification, Dilithium is on par with RSA and ECC. The ROT protocol shows decent performance and its support required small modifications to the TPM. This paper also shows that it would be possible to backport the required code to already available TPMs to ensure that current TPMs remain secure against quantum adversaries.

翻译：可信平台模块（TPM）作为安全系统的信任根，是执行密码原语的安全密码处理器。若大规模量子计算成为现实，TPM 2.0标准所采用的密码原语将不再安全。因此，设计具备抗量子（QR）原语的TPM至关重要，尤其是考虑到嵌入式系统的限制条件。本文研究了在标准TPM 2.0中部署QR原语与协议的方法。我们选取了当前处于NIST QR密码标准化进程中的密码算法，以及作为基础密码原语的茫然传输（OT）作为扩展TPM 2.0的QR密码方案。具体包括：用于密钥封装的Kyber算法、用于数字签名的Dilithium算法，以及支持多方计算与私有集合交集（PSI）等协议的三轮随机茫然传输（ROT）协议。该QR扩展版TPM 2.0在ARM和RISC-V嵌入式处理器上实现，本文分析其计算需求，并通过实验评估其与标准TPM的性能差异。结果表明：由于RSA需要较大的密钥尺寸和安全的随机采样，Kyber与Dilithium在密钥生成速度上优于RSA，同时达到与ECC相当的性能水平；在数字签名的生成与验证方面，Dilithium性能与RSA和ECC持平；ROT协议展现出可观的性能表现，且其支持仅需对TPM进行小幅修改。本文还论证了将所需代码回溯移植至现有TPM的可行性，以确保当前TPM能够抵御量子攻击。