NIST finalized its first post-quantum cryptography standards in August 2024. The hardware implications are arriving now. LowRISC's work on OpenTitan demonstrates that replacing RSA and ECC with ML-DSA or ML-KEM is not a firmware update. It is a silicon redesign, and the new constraint is not math, it is physics.
The problem is side-channel leakage. Standard PQC algorithms produce the correct mathematical output but leak key material through power draw and electromagnetic emissions during signature operations. For a root-of-trust device like OpenTitan, which targets Common Criteria certification at High attack potential, functional correctness alone fails the evaluation. The fix is first-order masking: splitting every sensitive value into two random shares so no single intermediate in the data path is correlated with the secret. For ML-DSA, first-order masking roughly doubles the implementation area versus an unmasked version. That cost is mandatory for any device aiming at Common Criteria EAL 5 or higher, which covers the majority of trusted-platform and secure-element targets.
The architecture change this forces is specific and non-trivial. Key-generation and signing paths must be redesigned with fresh randomness injected at each computational step, control-flow flattening to remove timing variation, and memory access patterns that do not leak operand structure. Existing digital signature IP libraries built for RSA or ECDSA will not retrofit to PQC correctly. Teams that assume they can swap algorithms without changing the RTL will ship devices that pass functional verification but fail a lab-grade side-channel probe in under an hour.
The transition window is now. NIST's 2025 draft migration guidance recommends that any new hardware root-of-trust design started today target PQC-native implementation. The systems most exposed are industrial controllers, secure enclave IP blocks, and automotive HSMs with multi-decade lifetime requirements. If your silicon tape-out is scheduled for the next 18 months and the RoT still uses ECDSA without a masking architecture plan, the timeline is the problem.