KCMVP 3.0 Changes: What Korean Semiconductor Companies Need to Prepare
Korea’s Cryptographic Module Validation Program (KCMVP, 한국 암호 모듈 검증 프로그램) is at an inflection point. With NIST finalizing post-quantum cryptography standards and the global push toward quantum-resistant infrastructure, the Korean National Intelligence Service (NIS) and the Korea Internet & Security Agency (KISA) are updating KCMVP to address the post-quantum transition.
For Korean semiconductor companies — from established players like Samsung and SK Hynix to emerging AI chip startups like Rebellions, FuriosaAI, and HyperAccel — understanding these changes is critical for product roadmap planning, government contract eligibility, and export competitiveness.
Background: KCMVP’s Role in Korea’s Security Ecosystem
KCMVP is Korea’s national standard for validating cryptographic modules used in government and critical infrastructure systems. It’s analogous to NIST’s CMVP (FIPS 140-3) in the United States, but with Korea-specific algorithms and requirements.
Any cryptographic module deployed in Korean government systems, defense applications, or critical infrastructure must pass KCMVP validation. This includes hardware security modules (HSMs), secure microcontrollers, and cryptographic IP cores embedded in SoCs.
Historically, KCMVP has mandated Korean standard algorithms: ARIA (block cipher), SEED (legacy block cipher), LEA (lightweight block cipher), and HAS-160/SHA-256 (hash functions). The program has also recognized international algorithms like AES and SHA-3, but Korean algorithms have been required for government deployments.
What’s Changing in KCMVP 3.0
The next major revision of KCMVP is expected to introduce several significant changes aligned with the global post-quantum transition:
Addition of PQC Algorithms: ML-KEM (formerly Kyber) and ML-DSA (formerly Dilithium) are expected to be added to the approved algorithm list. Korean-developed PQC algorithms may also be considered, pending evaluation by NIS/KISA’s cryptographic algorithm evaluation process.
Deprecation Timeline for Classical Algorithms: RSA and finite-field Diffie-Hellman are expected to receive deprecation timelines, with a transition period during which both classical and PQC algorithms are accepted. The exact timeline will depend on global consensus, but Korean agencies are tracking NIST’s deprecation schedules closely.
Enhanced Side-Channel Evaluation: The physical security requirements for cryptographic modules are being strengthened. Modules claiming resistance to physical attacks will need to demonstrate TVLA compliance and resistance to standard DPA/CPA attacks — requirements that are extremely difficult to meet with software-only implementations.
Hybrid Mode Requirements: During the transition period, modules may be required to support hybrid key establishment (combining classical ECDH with ML-KEM) to maintain backward compatibility while providing quantum resistance. This has significant implications for hardware resource allocation.
Supply Chain Security: New requirements around firmware signing, secure update mechanisms, and hardware provenance tracking are expected, reflecting global concerns about supply chain integrity in semiconductor manufacturing.
Impact on Korean Semiconductor Companies
The KCMVP changes create both obligations and opportunities for different segments of the Korean semiconductor industry:
AI Chip Startups (Rebellions, FuriosaAI, HyperAccel): These companies are designing high-performance AI accelerators that will increasingly need security certification for deployment in government AI infrastructure, defense applications, and critical data processing. Integrating a KCMVP-certified cryptographic subsystem early in the design phase is far more efficient than retrofitting security onto an existing architecture.
The AI chip market is at a critical juncture where security is transitioning from “nice to have” to “required for deployment.” Companies that can offer KCMVP-certified AI accelerators will have a significant competitive advantage in Korean government procurement.
Memory Manufacturers (Samsung, SK Hynix): As computing architectures evolve toward Processing-in-Memory (PIM) and Compute Express Link (CXL), memory devices are becoming active participants in computation. This creates a new attack surface that KCMVP will need to address. Memory-integrated security features — encryption engines, integrity verification, access control — will need to meet cryptographic module standards.
Fabless Design Companies: Korean fabless companies designing IoT controllers, automotive MCUs, and communication processors need to integrate KCMVP-compliant cryptographic IP cores. The PQC transition means existing cryptographic IP must be replaced or augmented, creating demand for new IP vendors that can provide certified PQC hardware.
Defense and Aerospace: The most stringent requirements will apply to defense applications, where KCMVP certification is mandatory and the transition to PQC is driven by national security imperatives. K-defense exports — an increasingly important sector for Korea — require cryptographic modules that meet both KCMVP and partner-nation standards (FIPS 140-3, Common Criteria).
Cross-Certification Strategy
Korean companies targeting international markets need a cross-certification strategy:
KCMVP to CAVP: NIST’s Cryptographic Algorithm Validation Program (CAVP) validates individual algorithms. Many KCMVP-required tests align with CAVP, enabling a shared test infrastructure.
KCMVP to Common Criteria: The Common Criteria evaluation (particularly the AVA_VAN and ALC assurance families) complements KCMVP by providing a broader security evaluation framework. Korean companies should target the Korea IT Security Evaluation and Certification Scheme (K-ITSEC) for domestic Common Criteria evaluation.
Mutual Recognition: Korea participates in the Common Criteria Recognition Arrangement (CCRA), enabling CC certificates issued in Korea to be recognized in 31 member nations. This is a critical enabler for Korean semiconductor exports.
Preparation Roadmap
For companies beginning their KCMVP 3.0 preparation:
Phase 1 — Assessment (Now): Inventory all cryptographic functions in current and planned products. Identify which algorithms need PQC replacement and which hardware blocks need redesign. Assess current side-channel resistance posture.
Phase 2 — IP Selection (6-12 months): Evaluate and select PQC hardware IP that meets anticipated KCMVP 3.0 requirements. Key criteria include: ML-KEM and ML-DSA support, hardware side-channel countermeasures, hybrid mode capability, and a vendor with certification experience.
Phase 3 — Integration and Testing (12-24 months): Integrate PQC IP into the SoC design, implement Secure Boot with PQC verification, and conduct pre-certification side-channel testing. Build the test infrastructure (power analysis lab, TVLA tools) needed for KCMVP evaluation.
Phase 4 — Certification (24-36 months): Submit for KCMVP evaluation. The evaluation process typically takes 6-12 months, so early submission is advisable.
The Korean Market Opportunity
Korea’s semiconductor security market is at a unique inflection point:
Government investment in AI and quantum technology is accelerating, with the Korean government’s Digital Platform Government initiative requiring security certification for government AI systems.
K-defense exports are growing, creating demand for KCMVP-certified security components that also meet allied nation standards.
Korean companies are increasingly subject to supply chain security requirements from international customers (particularly US DoD CMMC and EU Cyber Resilience Act).
Companies that establish PQC hardware capability and KCMVP certification early will be positioned to serve this growing market as the mandatory compliance deadlines approach.
Conclusion
The KCMVP 3.0 transition is not just a compliance checkbox — it’s a strategic opportunity for Korean semiconductor companies to differentiate themselves in the global market. The companies that invest in PQC hardware IP, build side-channel testing infrastructure, and navigate the certification process early will have a lasting competitive advantage.
The post-quantum transition in Korea’s cryptographic standards is coming. The question for semiconductor companies is whether they’ll be ready when it arrives.
