Q&A with Andersen Cheng, CEO Post-Quantum
Par Andersen Cheng, CEO at Post-Quantum
We caught up with Andersen Cheng, CEO at Post-Quantum about the threat posed by quantum computers, developments in quantum-safe encryption and his view on how best to prepare.
You started Post-Quantum 10 years ago, why?
After working with my co-founder Professor Martin Tomlinson in a prior top secret grade security venture, we were looking for the next big problem to solve together. Martin said to me one day, “if you really want to save the world then protect it from quantum computers, because that really will be the end of the world as everything is dependent on public key cryptography.” We’ve been working on it ever since with our third co-founder, CJ Tjhai, with the vision of creating a quantum-safe ecosystem.
What does the company do?
Our aim is to develop protection against the cyber security threat posed by the rapidly developing code-breaking capabilities of quantum-computers.
Our encryption algorithm (NTS-KEM, now called Classic McEliece after merging the submission led by Professor Daniel Bernstein) is the only ‘code-based’ finalist in the National Institute of Standards and Technology (NIST) competition to develop a new global encryption standard capable of protecting data from quantum attack.
Experimentation in a lab-controlled environment is completely different from creating commercially robust and usable products for real world deployments. Having spent our early years on heavy R&D, it enabled us to move into commercialisation phase a couple of years ago.
We’ve developed a range of ‘quantum-safe’ cyber security tools, including digital identity, virtual private network, secure messaging and collaborative authentication. The company works with governments, large corporations and academia to help them future-proof cyber security.
How significant is the quantum threat?
It’s hard for time-pressed cyber security teams to dedicate time to thinking five years ahead but the threat posed by quantum hacking is so significant it demands we all lift our gaze from the here and now.
If a rouge nation state or criminal enterprise manages to develop a functioning quantum computer then today’s encryption will become useless immediately. That means wholesale access to government secrets, banking transactions and intellectual property. Also, cryptocurrencies like Bitcoin are vulnerable at present. It really is an existential threat to our world and the systems that run it.
When do you think a mature quantum computer will be developed?
People often talk about commercial quantum computers, and that’s a long way off. But from a cyber security perspective, we’re not talking about commercial machines, a huge, poorly functioning prototype in the basement is all that’s needed to break today’s encryption.
That prospect is much closer and it could be within the next three to five year horizon. There have been major announcements from Google and Chinese researchers, each using different routes to achieve ‘quantum supremacy’, rapidly completing a problem that would take hundreds of years with classical computers. This sounds abstract, but then code-breaking is also an abstract task and one quantum machines are well suited for.
What’s the next stage in the NIST competition?
There are now only a handful of submissions remaining in the competition and we are the only ‘code-based’ entry in the encryption category. The community is thoroughly attacking each algorithm and stress testing their security.
It’s then over to NIST to decide on the algorithm or algorithms that make-up the final open source standard for post-quantum encryption upon which we will all depend. We’re hopeful our work will form part of this standard as the foundation is based on the Robert McEliece cryptosystem, which the community has concluded to be quantum-safe, having tried and failed to crack it for over 40 years.
Isn’t it simply a case of swapping out your crypto library to the new NIST standard?
Unfortunately not, if only it were that simple. Enterprises and governments will be running multi-year projects to audit their applications and infrastructure to see where encryption needs to be upgraded. The competition for talent and expertise will be intense.
It’s also not as simple as swapping the algorithms. Certainly for the first few years most organisations will run both traditional and post-quantum algorithms together, offering greater assurance against traditional attack, as well as protecting from future threats.
Which type of organisation is upgrading to quantum-safe first?
We’re already in conversations with governments and major banks, both of which have a duty to thoroughly protect their secrets. Other highly regulated or intellectual property rich sectors like drug discovery and electric car manufacturers are also interested in mitigating the risk. Ultimately, we will all need to transition but that will take many years, typically a decade, and it’s only just beginning now.
What advice do you have for a CISO that needs to go quantum-safe?
It’s important to think end-to-end and not simply about encryption. If you do quantum-proof your communications, perhaps with a VPN product, then the risk shifts to employee identity. If I can compromise an employee’s password then I don’t need to use my quantum computer to attack your encryption at all. If your staff use mobile messaging systems then those will be vulnerable too.
At Post-Quantum we’re building a suite of solutions that are all quantum-safe and which offer a clear option when a business needs to upgrade or retire an existing system. Why upgrade to something today that isn’t quantum-ready? It’ll need significant change in the coming years.
Andersen Cheng, CEO at Post-Quantum
A computer auditor by training, Andersen was European Head of Credit Risk Management at JP Morgan, Corporate Development Director of LabMorgan (FinTech incubator) and also COO of the Carlyle Group’s European venture fund. Subsequently, Andersen ran TRL which was a provider of government grade security solutions – TRL was subsequently sold to L-3 Communications, a top US Defence Group.
10 years ago, Andersen established Post-Quantum, a start-up working to develop encryption capable of withstanding a quantum attack. The firm is a frontrunner in NISTs global competition to set a future cryptographic standard to replace RSA and Elliptic Curve; and was also the original contributor to IETF’s hybrid PQ VPN protocol standardisation. Most recently, using many of Post-Quantum’s R&D innovations, the company also founded Nomidio, a SaaS based biometric authentication and verification business, that works with the likes of Hitachi Capital and Avaya to deliver low-code biometric identity solutions which can be implemented in under 8 minutes.