RESEARCH

Published findings from the lab

Open access. Peer-reviewed papers, technical briefs, and field notes on post-quantum cryptography for the automotive stack.

Peer-Reviewed Papers & Technical Reports

IN PROGRESS 2026 arXiv cs.CR — expected Q2 2026

ML-KEM and ML-DSA Performance on Automotive-Grade ARM Cortex-M7 MCUs Under AUTOSAR OS Scheduling Constraints

QORONEX LTD Research — Oxford, UK

Benchmark measurements for NIST FIPS 203 (ML-KEM-768) and FIPS 204 (ML-DSA-65) on the NXP S32K344 (Cortex-M7 at 160 MHz) and STM32H573 (Cortex-M33 at 250 MHz) microcontrollers, measured under AUTOSAR OS scheduling conditions. Will cover stack usage, code size, and cycle counts relevant to AUTOSAR integration planning. Hardware measurements are currently in progress.

automotive ML-KEM ML-DSA AUTOSAR NXP S32K3 Cortex-M7
PDF available on publication
TECHNICAL REPORT 2026

CryptoBOM: Automated Cryptographic Bill of Materials for Automotive ECU Firmware

QORONEX LTD Research — Oxford, UK

CryptoBOM scans automotive ECU firmware binaries (ELF, Intel HEX, S-record, raw binary) and produces a Cryptographic Bill of Materials identifying every instance of classical cryptographic algorithms vulnerable to Shor's algorithm. Detection uses YARA rules and Ghidra headless analysis. Validated against Zephyr RTOS with mbedTLS, OpenBLT bootloader, and NXP S32K3 MCAL demo binaries.

YARA Ghidra post-quantum firmware-analysis automotive
Download PDF Request evaluation access →

Technical Briefs

BRIEF 5 min read March 2026

HNDL and the Automotive Fleet: Why Your OTA Traffic Is Already Recorded

Every OTA firmware update your vehicles have ever received has been copied by someone. When the quantum computer arrives, those recordings decrypt. The attack is called Harvest Now, Decrypt Later and it is operational right now…

Download PDF
BRIEF 6 min read March 2026

FIPS 203 for Automotive Engineers: What Changes, What Stays, What You Need to Order Today

ML-KEM replaces ECDH key exchange across your ECU fleet. AUTOSAR has reserved the API slots. The silicon is orderable today. Here is exactly what FIPS 203 means for an automotive ECU programme…

Download PDF
BRIEF 6 min read March 2026

FIPS 204 for Automotive Engineers: What Changes, What Stays, What You Need to Order Today

ML-DSA replaces ECDSA signatures for OTA firmware, secure boot, and V2X. The change touches every signing key in your programme. Here is exactly what FIPS 204 means for an automotive ECU programme…

Download PDF
COMING SOON Q2 2026

Why Your AUTOSAR TARA Does Not Include a Quantum Adversary

ISO/SAE 21434 threat methodology was finalised before NIST published its post-quantum standards. The quantum-capable nation-state adversary is missing from most current TARAs. Here is what that gap looks like in practice, and how to close it…

Being written — available Q2 2026
COMING SOON Q2 2026

UNECE R155 and Post-Quantum: What Your Annual Review Auditor Will Start Asking

Regulatory pressure around PQC migration evidence is building. The questions your R155 auditor has not asked yet are coming. Here is what to prepare before your next annual review…

Being written — available Q2 2026

Field Notes & Analysis

FIELD NOTES Coming soon

We scanned 5 open-source automotive firmware binaries. Here is what we found.

ECDSA P-256 appeared in 4 of 5 samples. RSA-2048 in 2. One of them, OpenBLT, was entirely AES-based and effectively PQC-ready for key protection. The results are not surprising. They are actionable.

ANALYSIS Coming soon

QORIX, Elektrobit, and the PQC gap in AUTOSAR middleware

The two dominant AUTOSAR middleware vendors have published nothing on post-quantum crypto integration. Here is what that gap means for vehicle programme timelines…

TECHNICAL Coming soon

Why the J-Link EDU Mini licence bars commercial use, and what to buy instead

A practical note for automotive embedded engineers setting up a PQC benchmarking lab. The licensing restriction is real, the alternatives are readily available, and the price difference is smaller than you might expect…

STAY INFORMED

New research when we publish something worth reading.

No newsletter. No noise.

No marketing. One email per publication.