STMicroelectronics has introduced the ST54M, which it calls the world's first secure mobile chip to combine a post-quantum cryptography (PQC) hardware accelerator with near-field communication (NFC), a secure element, and an embedded SIM on a single die.

The striking thing about the launch is its timing. ST is hardening phones against an attack that no machine on Earth can currently perform — because the data a phone holds has a long shelf life, and the deadlines to protect it are arriving years before the threat itself.

What ST Announced

Announced June 24 from Geneva, the chip is designed to handle security-sensitive tasks on smartphones and connected devices — contactless payments, identity and transit authentication, access control, and digital car keys — while preparing for a future in which a sufficiently powerful quantum computer could break some of today's widely used public-key cryptography. ST is sampling the chip to customers now and targets EU Cybersecurity Certification (EUCC, based on Common Criteria 2022) and EMVCo payment certification, along with mass production, for July.

The Threat You Prepare For Before It Exists

Today's digital security leans heavily on public-key cryptography — schemes such as RSA and elliptic-curve — whose safety rests on math problems, like factoring enormous numbers, that ordinary computers cannot solve in any practical amount of time. A sufficiently large, error-corrected quantum computer could in principle solve those particular problems efficiently, which would undermine that family of cryptography. The crucial caveat: no such machine exists yet, and expert estimates for when one might arrive range from years to decades. The threat is real but anticipatory.

What makes it pressing anyway is a tactic known as "harvest now, decrypt later." An adversary does not need to break encryption today; it can simply record encrypted data now and wait. Anything that must stay confidential for years — identity records, payment credentials, the keys to your car — is therefore effectively at risk in the present, even though the tool to crack it doesn't exist. That is the logic behind moving early, and behind a wave of government deadlines pulling the migration forward.

What Post-Quantum Cryptography Does

Post-quantum cryptography (PQC) is the response: a new family of algorithms built on different math — in this case "lattice" problems believed to resist both classical and quantum attack. The two the ST54M supports, the NIST-standardized ML-KEM (for establishing shared keys) and ML-DSA (for digital signatures), are designed to ease the transition from today's hybrid schemes — which run old and new cryptography side by side — toward full post-quantum security.

Putting that heavy math in a dedicated hardware engine, rather than running it in software, keeps the security tasks fast and power-efficient on a phone. And integrating it on one die with the NFC radio, the secure element — the tamper-resistant vault that holds payment and identity secrets — and the eSIM lets device makers add quantum-readiness without adding chips, bulk, or battery drain. That single-die integration is what ST is claiming as a first.

The accelerator is also hardened against two classes of physical attack: side-channel attacks, which try to infer secrets from a chip's power draw, timing, or electromagnetic emissions, and fault-injection attacks, which deliberately induce errors to shake data loose. Both are named here as threats the hardware is built to resist.

The Policy Clock Behind the Launch

The launch tracks a broader, government-driven push toward quantum-ready security. The U.S. recently moved up its federal deadline to migrate critical systems to post-quantum cryptography: an executive order signed June 22 set targets of the end of 2030 for key establishment and the end of 2031 for digital signatures, pulling a previous 2035 goal forward by several years. Standards bodies and other governments are pressing device makers to start the shift now, well before a code-breaking quantum computer actually arrives — and NIST's finalization of the ML-KEM and ML-DSA standards in 2024 gave the industry the concrete algorithms to build toward.

For a chipmaker, that combination — finalized standards plus hardening deadlines — turns post-quantum support from a research topic into a product requirement. A secure element that will sit in phones for years has to speak the new cryptography well before the threat materializes, which is precisely the bet ST is making with the ST54M.

Frequently Asked Questions

What is the ST54M chip?

The ST54M is a secure mobile chip from STMicroelectronics that the company describes as the world's first to combine a hardware accelerator for post-quantum cryptography with NFC, a secure element, and an embedded SIM (eSIM) on a single die. It is designed for smartphones and connected devices to handle security-sensitive tasks such as contactless payments, digital identity, transit and access authentication, and digital car keys, while preparing those functions for a future quantum threat. ST is sampling it to customers now, with mass production and certification targeted for July 2026.

What is post-quantum cryptography?

Post-quantum cryptography (PQC) is a family of cryptographic algorithms designed to remain secure against attacks from both classical computers and future quantum computers. Today's widely used public-key systems, such as RSA and elliptic-curve cryptography, rely on math problems that a sufficiently powerful quantum computer could eventually solve, which would compromise them. PQC instead uses different mathematical foundations — such as lattice-based problems — believed to resist quantum attacks. The goal is to protect sensitive data well before a code-breaking quantum computer exists.

What are ML-KEM and ML-DSA?

ML-KEM and ML-DSA are two post-quantum cryptographic algorithms standardized by the U.S. National Institute of Standards and Technology (NIST). ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is used for key establishment — securely agreeing on a shared secret key between two parties — while ML-DSA (Module-Lattice-Based Digital Signature Algorithm) is used for digital signatures that verify authenticity and integrity. Both are based on lattice mathematics. The ST54M includes a hardware accelerator supporting both, to help devices transition toward full post-quantum security.

Why do we need quantum-resistant chips now?

Although no quantum computer capable of breaking current encryption exists yet, the precaution is driven by a tactic called "harvest now, decrypt later": adversaries can collect encrypted data today and store it until a future quantum computer can decrypt it. Data with a long confidentiality lifespan — identity records, financial credentials, government secrets — is therefore at risk in the present. Replacing cryptography across devices and systems also takes years, and governments have set migration deadlines (the U.S. now targets 2030–2031 for federal systems), so chipmakers are building quantum-resistant hardware well ahead of the actual threat.