Ali El Kaafarani, PQShield: “early iterations of the quantum threat could be state-sponsored attacks”

Much like everything in the world, the current encryption methods aren’t not going to suffice forever. Most likely sooner than later, quantum computing will pose a threat to vast amounts of sensitive data.

To add to the looming threat, bad actors also look into the future and some don’t bother with giving back the data they stole – all of it will be out in the open once quantum computers become a norm. That’s why businesses that rely on basic security measures like Virtual Private Networks, must take action now and prepare for what’s to come – a future where post-quantum cryptography solutions will be the norm.

Cybernews reached out to Ali El Kaafarani, the Founder and CEO of PQShield, a leading post-quantum cryptography solution provider. We discussed the oncoming challenges and what needs to be done in preparation for the future of post-quantum computing.

How did PQShield come about? What has your journey been like so far?

I was a cryptographer and research fellow at the University of Oxford’s Mathematical Institute and was looking at post-quantum cryptography in response to the threat that quantum computers posed to current encryption standards. As a part of my work, it became apparent that the industry was not moving quickly enough to respond, so I started PQShield to help businesses address the issue.

We started as a small team of cryptographers, mathematicians, and engineers who were passionate about countering the quantum threat. I am proud to have built a team that has one of the world’s highest concentrations of software and hardware cryptography experts outside academia and the classified sector.

Since then, PQShield has become a global leader in the race to develop encryption algorithms that can withstand attacks from quantum computers. Today, we are leading the commercial roll-out of quantum-ready cryptographic solutions that help organizations prepare for the threat landscape of tomorrow.

Can you introduce us to what you do? What challenges do you help navigate?

PQShield is a cybersecurity company specializing in post-quantum cryptography (PQC).

Simply put, the current encryption standards relied on to protect the world’s sensitive data are built on mathematical problems that are very difficult for traditional computers to solve in a practical timeframe. However, quantum computers will have the processing power capable of solving these complex mathematical challenges and will be able to smash through current public-key encryption, leaving data vulnerable.

This means that every business needs to replace the old encryption it uses today with PQC in order to secure its data and devices. That’s where our technology comes in. Today, PQShield is the only company that can demonstrate quantum-safe cryptography on chips, in applications, and in the cloud.

We are a leading contributor to the National Institute of Standards and Technology (NIST) post-quantum cryptography standardization project, and members of the PQShield team have also contributed multiple cryptographic extensions to RISC-V, the open standard instruction set architecture (ISA) that is rapidly gaining traction from proprietary competitors such as ARM and Intel.

We help our partners put in place a transition roadmap from ECC/RSA to post-quantum cryptography, which is a tremendous task given the widespread use of public-key cryptography in our ever more digitized lives.

What are the main threats surrounding quantum computers?

In order to provide confidentiality, authenticity, and data integrity, public-key cryptosystems, namely RSA and Elliptic Curve Cryptography (ECC), are used by virtually every organization, government, and device in the world to ensure secure communications and sharing of data over insecure channels.

Unfortunately, both RSA and ECC will be rendered useless by large-scale quantum computers.

The vast processing power of these machines will easily solve the mathematical problems that underpin public-key algorithms, making them useless. Information like medical records, national intelligence, intellectual property, financial transactions and end-to-end encrypted messaging will be exposed, with potentially devastating results.

"Harvest now, decrypt later" attacks add another layer of urgency to this unprecedented threat.

Bad actors could steal encrypted data from a business or organization through a more conventional attack today, and then store this information for when a quantum computer capable of breaking the encryption is built.

This threat means that any organization that wants to secure its data over a longer lifespan must take steps to adopt quantum-safe encryption as soon as possible or risk exposing any current data to a quantum attack. They must also operate under the assumption that any attack in which encrypted data is harvested could present further reputational and regulatory issues in a decade’s time.

Do you think the recent global events affect the way people approach cybersecurity?

There are currently over 15 nations with significant quantum computing R&D projects, but the US and China are clear leaders. The UK, France, and Russia are not far behind.

Given the investment requirements for the research and development of quantum computers, it is likely that the early iterations of the quantum threat could be state-sponsored attacks.

Recent global events have heightened the overall volume of cyber activity, both state-sponsored and independent threat actors. Therefore, the need for governments and businesses to move quickly should not be underestimated.

Which industries do you think should be especially concerned about making their systems quantum-safe?

Given the potentially lengthy time horizon for the development of a quantum computer capable of breaking current encryption standards, we support businesses who either need to secure data over a long time span or who operate in strategic sectors such as semiconductors and defense. This means that we are working with businesses up and down the supply chain to incorporate post-quantum cryptography, across sectors and across geographies.

Within the next 2-5 years, it will become the norm that all companies that hope to do business with governments and hold state contracts will need to have adopted post-quantum cryptography.

Brands that are developing consumer products with a 5-10 year lifespan should also be aware that it will soon become an expectation that they are quantum secure, particularly as we embrace an IoT-connected world.

What are the biggest mistakes you notice people make when it comes to handling large amounts of sensitive information?

The hesitation to take action. While we wait for NIST to make its decision on post-quantum cryptographic standards, there are actually several steps that businesses can take to prepare for what will be the largest cryptography transition in decades.

Initially, businesses should be following the lead of the White House, which has made significant steps since the start of the year, firstly publishing a Memorandum in January that ordered all US Government agencies to conduct an audit of their digital infrastructure and identify where they have encryption that is vulnerable to the quantum threat.

With the US Government setting the example, businesses must quickly establish where they themselves are exposed to the quantum threat. This will make it possible for CIOs and CISOs to prepare a roadmap to quantum security, taking into account a number of considerations such as the value of the data exposed, the life cycle of the hardware to be replaced, and the requirements for future vendor agreements.

A recent White House statement emphasizes the importance of acting early:

"NIST will soon be publishing new cryptographic standards that can protect against future [quantum] attacks. But the process to transition America’s most vulnerable IT systems to these new standards will take substantial time, resources, and commitment. Accordingly, America must start the lengthy process of updating our IT infrastructure today to protect against this quantum computing threat tomorrow."

What security tools and solutions do you think are essential for every organization and individual to keep up in this age of ever-evolving technology?

There aren’t many complete solutions to the quantum threat and the general industry consensus, led by NIST and the NSA in the US, the UK’s GCHQ, or France’s ANSSI, and indeed by the wider cryptography community is that the replacement of current encryption with post-quantum cryptography would be the best solution given the potential to work with companies’ legacy systems to protect devices and sensitive data now and for years to come.

Cyber threats need to be managed with an end-to-end approach which is why, as a product company, we have developed a range of post-quantum cryptographic solutions including ready-made and tailored hardware cryptography IPs for low and high-end devices (secure elements, hardware security modules (HSMs), etc.); IoT firmware; public key infrastructure (PKI); server technologies; and advanced end-to-end encrypted messaging platforms.

As we are still waiting on the NIST results, we have ensured that we remain an algorithm-agnostic vendor, offering size and performance-optimized implementations of all of NIST’s PQC finalist algorithms, which means that we could support companies in their transition to quantum-readiness even before the NIST standards were announced.

What does the future hold for PQShield?

In January of this year, we received a catalyst from our $20 million Series A funding round led by Addition which we are already using to fuel development, hiring, and expansion, particularly in the US, Europe, and Japan.

We’re also seeing huge inbound demand, in part because this is such a critical time for PQC. On the one hand, there’s the pending announcement of new international standards for post-quantum cryptography, and also the rising awareness among businesses - particularly CIOs and CISOs - of the pending threat and the need to take steps to identify and replace vulnerable encryption as we transition towards a quantum secure future.