A new hardware-rooted reference architecture — combining FPGAs, Trusted Platform Modules, and post-quantum cryptography — is emerging in response to regulatory timelines that hardware teams can no longer defer.
As regulators on both sides of the Atlantic set firm timelines for the migration to post-quantum cryptography, a new class of devices is making the stakes unusually tangible. Humanoid robots — machines being built this decade with operational lifespans stretching into the 2040s — are forcing engineering teams to confront a question most enterprise security programs have been able to defer: how do you protect a connected, data-collecting device whose cryptography must outlast today’s algorithms?
The answer taking shape at the hardware level combines three technologies that have rarely been discussed in combination: field-programmable gate arrays (FPGAs), Trusted Platform Modules (TPMs), and post-quantum cryptography (PQC). Together, they are emerging as a reference architecture for autonomous systems.
A recent joint FPGA-based PQC demo from Lattice Semiconductor, SEALSQ, and European electronics design house Promwad suggests the industry is moving from theory to silicon.
The deadline landscape
The United States has set the pace. NIST published its first post-quantum standards in 2024, and the White House’s National Security Memorandum 10 (NSM-10), together with OMB memorandum M-23-02, requires federal agencies to inventory cryptographic systems and begin migration planning. Under the NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), national security systems are expected to complete their transition between 2033 and 2035.
Europe is following closely. EU roadmaps call for national PQC strategies by the end of 2026, with pilots already underway in 2025 and 2026. Critical infrastructure operators face a 2030 deadline for high-risk systems, and the bloc’s broader full-deployment target sits around 2035. The United Kingdom’s National Cyber Security Centre has published its own sequence: discovery by 2028, high-priority migration by 2031, completion by 2035.
For software-centric organizations, those timelines are aggressive but manageable. For hardware teams designing products with 10- to 20-year service lives, they are effectively binding today. A humanoid robot, industrial platform, drone, or connected vehicle entering production in 2026 will still be operating when post-quantum migration is expected to be complete — meaning its cryptographic architecture has to anticipate the full transition from day one.
“Harvest now, decrypt later”
The urgency is compounded by an attack pattern that treats current encryption as a delayed-action vulnerability. Adversaries are already capturing encrypted communications with the expectation that cryptographically relevant quantum computers will eventually break the underlying algorithms. Traffic protected today by RSA or elliptic curve cryptography could be decrypted retrospectively years from now.
For data with a short shelf life — a session token, a transient authentication handshake — the risk is limited. For devices that continuously produce sensitive telemetry over two decades, it is not. Every video frame, voice sample, biometric reading, and location point transmitted by a long-lived platform today is a candidate for future decryption.
Why humanoids are the canary
Few devices illustrate the problem as clearly as humanoid robots. Early deployments are moving from laboratories into warehouses, hospitals, hotels, and public-facing spaces. They operate in physically accessible environments — anyone can approach, observe, or probe them — and they generate a continuous stream of high-fidelity sensor data: cameras, microphones, lidar, inertial measurement units, and in many cases biometric identification systems.
A humanoid platform is, in effect, a walking data-harvest surface with a service life closer to a commercial appliance than a smartphone. And unlike a refrigerator, it is networked, mobile, and equipped with actuators that can cause physical harm if compromised. That combination — long operational life, rich sensor payloads, physical accessibility, and direct kinetic consequences — concentrates nearly every category of cybersecurity risk into a single product class.
The limits of software-only security
The conventional approach to robotic safety has been to implement protective logic in software — typically within the operating system, the Robot Operating System (ROS) middleware, or an AI inference layer. That approach breaks down under adversarial conditions. If the operating system is compromised, the safety logic running on top of it can be bypassed. A machine that is provably safe in isolation becomes a liability the moment its software stack is exploited.
The architectural response gaining traction is to push safety enforcement below the software layer altogether, anchoring it in hardware that a compromised OS cannot override. That is the shared premise behind the FPGA + TPM + PQC model discussed at a recent joint security seminar hosted by Lattice Semiconductor, Promwad, and SEALSQ.
Inside the reference architecture
Each element of the triangle addresses a distinct layer of the problem.
FPGAs sit between sensors, processors, and actuators, and execute safety logic in deterministic real time — typically in under a microsecond. Their inherently parallel architecture allows multiple sensor streams to be cross-validated simultaneously, and because FPGAs operate below the OS, their safety constraints cannot be disabled by compromised software.
TPMs provide the root of trust. With more than four billion units deployed globally under the Trusted Computing Group standard, the Trusted Platform Module is a mature, well-understood secure element that handles tamper-resistant key storage, cryptographic operations, and platform attestation. In an FPGA-based system, the TPM verifies that the correct bitstream has been loaded, validates the firmware chain from BIOS through the application layer, and secures external communications through PKI and TLS.
Post-quantum cryptography addresses the twenty-year horizon. PQC algorithms secure bitstream signing, firmware updates, over-the-air communications, and device identity against future quantum attacks. Because PQC standards are still maturing, crypto agility — the ability to replace algorithms in the field without redesigning the hardware — has become a core design requirement. FPGAs are structurally well-suited to this role: their reconfigurable fabric allows cryptographic implementations to be updated as standards evolve.
From concept to silicon
At Embedded World 2026, the three companies presented a joint hardware demonstrator that implements the full architecture on a single platform. The demo combines PQC-signed FPGA bitstream validation, an integrated TPM-based root of trust, and a post-quantum crypto co-processor accessible directly from the FPGA fabric.
The engineering contributions were divided along each partner’s specialization. Lattice Semiconductor provided the FPGA technology; SEALSQ contributed the TPM and post-quantum cryptographic elements. Promwad — an independent FPGA design company with more than 150 engineers and over two decades of experience in embedded systems development and electronics design services — handled the hardware implementation, from schematic capture and PCB layout through release to manufacturing.
The demonstrator is aimed at a concrete regulatory problem. Devices in robotics, drones, and critical infrastructure typically remain in service for 10 to 20 years, while attack techniques and compliance requirements keep evolving. The EU Cyber Resilience Act, whose main obligations apply from December 2027, imposes ongoing security duties across a product’s entire lifecycle. The Radio Equipment Directive adds overlapping cybersecurity requirements for wireless devices. A static security model cannot satisfy either framework.
What it means for R&D leaders
The broader message for OEMs and product companies designing autonomous platforms is that cybersecurity has moved upstream. Bolting security onto a finished design is no longer a viable compliance strategy, and software-only safety architectures are increasingly difficult to defend to regulators reviewing long-lived connected devices. Hardware roots of trust, deterministic safety enforcement, and crypto-agile cryptographic stacks are converging into what several industry participants now describe as a de facto reference architecture for secure autonomous systems.
Humanoid robots may have brought the problem into focus, but the same constraints apply to any device built to outlast the cryptography it ships with. For teams starting designs in 2026, the post-quantum clock is no longer a future consideration. It is a design parameter.
