PQShield’s Ben Packman discusses security preparation and planning in the lead up to a post-quantum world.
At the start of the year, SiliconRepublic.com reported on numerous tech trends and predictions slated for 2025. Unsurprisingly, AI dominated a lot of predictions in regards to working life, skills trends and cybersecurity.
But while AI continues to be the word on everyone’s lips in sci-tech, we also saw increased discussion of quantum technology and its potential applications in the future.
In particular, experts predicted a rise in quantum-resistant cryptography, also known as post-quantum cryptography (PQC), as organisations prepare for a future where advanced quantum tech could severely compromise their systems.
One company heavily focused on PQC is PQShield, an Oxford University spin-out founded in 2018 that is striving to equip businesses and organisations with this technology and ensure cybersecurity resilience in a post-quantum world.
“We’re there really to modernise the security systems of the global supply chain,” says Ben Packman, speaking to SiliconRepublic.com.
Packman is PQShield’s chief strategy officer, who has been involved with the company for more than six years, having been introduced to company founder and CEO Dr Ali El Kaafarani the day after he started the business. For the first couple of years, Packman helped Kaafarani on a consultancy basis, before taking a full-time role after the company’s Series A funding round in 2021.
“After that, I joined full-time, and subsequently I look after our general global growth strategy, our sales team and our marketing team, and generally, then briefing people as wide and far as possible on the topic.”
Quantum misconceptions
Working with organisations on post-quantum concerns sounds like no easy feat. While AI has reached the comprehension of the masses, chances are that a significant number of the general population don’t know about or don’t fully understand the topic of quantum computing and what a post-quantum future entails. And for good reason, as even just the term quantum is almost synonymous with complexity.
In conversation with someone whose role heavily involves communicating and strategising with organisations about quantum considerations, one has to wonder if people’s perceptions of the advanced tech causes roadblocks in the pursuit of quantum security.
“Yeah, sticking quantum on the front of everything is not necessarily helpful to people’s understanding and sort of running towards it and embracing it with open arms,” laughs Packman.
‘Post-quantum cryptography doesn’t require a quantum computer’
“I think there’s some misconceptions,” he says. “I think quantum has very many things attached to it in terms of people’s perceptions. Depending on your age, I guess they have very different perceptions.
“Back to TV shows in the 70s around quantum, and some people think about Marvel films and ‘Quantumania’ and all this kind of wonderful stuff. And so it’s a topic that people struggle to understand, and therefore it is slightly unhelpful.”
But Packman says the root to solving this lies in focusing on the security and compliance side of things. “Security is fairly well understood by most people in enterprise or certain departments in enterprise, and so slightly divorcing ourselves from the quantum computing piece and moving towards standards compliance, I think is actually just net helpful to this change happening,” he explains.
“Obviously, got to keep an eye on everything else that’s going on,” he adds. “We can’t ignore the quantum computer. But post-quantum cryptography doesn’t require a quantum computer.”
He explains that ultimately, quantum computers just happen to be particularly good at the maths that sit behind RSA and ECC encryption systems.
“So, PQC is – in extremely oversimplified terms – changing the maths to maths that quantum computers find hard, and I think that is far more understandable, even when you say it like that to most people.
“The cryptography itself is new, but it’s actually based on maths that’s decades and decades old. So it’s not really new, it’s a new implementation of mathematical techniques that are well understood around the world.”
Ben Packman. Image: PQShield
Plan accordingly
In promoting PQC and post-quantum preparations, an important consideration that Packman urges organisations to adhere to is taking a pragmatic approach to the shift to PQC, meaning organisations should avoid tackling it all in a hurry at the last minute with the likelihood of making a huge amount of mistakes.
“I think it’s important that people recognise that the cryptographically relevant quantum computer is the backstop, not the start point,” he says, citing two reasons for this.
“One, harvest now, decrypt later is a real thing, and especially if you’ve got that kind of data, then you need to be protecting it now. But secondly, this is a long process to migrate. You know, cryptography is everywhere, everything from your car key to the cards you have in your wallet, to the things you have on your phone, and all the other bits.
“One thing we’ve been advocating [for] is, if you plan for this, and you think about where your most sensitive data is, which lenders are the ones that are handling effectively that data for you, and you start engaging with those people, then you can actually probably turn this into more of an IT refresh programme over the course of a number of years, rather than necessarily this huge beast that’s going to need extra investment.”
New standards, new approaches
In the years since PQShield’s establishment, the company has been proactively engaged in all-matters PQC, such as contributing to major regulations and government consultation, including an invitation to the White House for a roundtable discussion as well as a trip to the European Parliament – both of which were attended by Packman.
One major regulation that PQShield contributed to is the US National Institute of Standards and Technology (NIST) standards for quantum-safe cryptography. In August 2024, NIST released its first set of finalised encryption algorithms, known as “post-quantum encryption standards”, to protect devices from quantum computers (around the same time, PQShield revealed its PQC-compliant silicon chip).
As Packman explains, quantum computing and PQC have been “joined at the hip” up until this point, with the introduction of these standards representing a “slight parting of ways”, where the conversation is now shifting towards compliance and new standards, “rather than when there will be a cryptographically relevant quantum computer”.
“That changes the conversation, that changes the urgency and the discussion, which is exactly what standards are there to do,” says Packman. “And so while we have to stay aligned to quantum computing – and the quantum threat is still a real and tangible thing – at the end of the day, we can now start talking about the compliance to those standards and how those standards are flowing their way down through the market.”
Recent regulation in relation to quantum security appears to have a significant tone of urgency, as evident in the US’ Commercial National Security Algorithm Suite (CNSA), a set of cryptographic algorithms recommended by the National Security Agency. In 2022, the CNSA 2.0 guidelines were released, which included recommendations for PQC algorithms for use in US federal systems.
These guidelines include a timeline that indicated a full transition to these standards by 2033, including all legacy systems. Packman describes the programme as “aggressive” but necessary, “particularly if you’re in a position where you have sensitive data that you are using today across the internet or in various different systems”.
Harvest now, decrypt when?
But while regulations and guidelines like CNSA 2.0 do hold a certain degree of urgency, Packman believes it’s warranted due to ongoing quantum security trends, most notably the ‘harvest now, decrypt later’ phenomenon.
Harvest now, decrypt later refers to a method by which threat actors gather encrypted, sensitive data that they are unable to crack and holding it for when they can utilise quantum technology to decrypt it. This is a top concern that Packman says needs to be addressed now, with organisations putting in preparations and strategy sooner rather than later.
“Now, am I particularly worried about a transaction I did online this morning? Personally, no, I think that’s a long way away before we have a hacker with a quantum computer in their bedroom,” says Packman.
“But obviously nation states, you know, the profile of the potential attacker with a quantum computer initially is going to be at that kind of level, large conglomerates, nation states etc. And therefore national security data, financial data, those types of things are going to be fair game in terms of how they would look to potentially disrupt using that data.”
Many may wonder, how far away we are from the turning point of this issue, where the quantum tech capable of decrypting this data is fully realised. But Packman states that nobody really has a definitive answer, and realistically it won’t be apparent or disclosed when it happens either.
“The one thing that I think is really interesting is that – and we see some of these kinds of Chinese papers that pop up once in a while claiming to have broken this – nobody’s going to tell anyone,” he says with a chuckle. “If you’d broken RSA and ECC, like, why would you tell everyone? Right? You wouldn’t. You’d just happily sit there reading everybody’s information and having a lovely time and taking that advantage.”
He uses the historical comparison of when Allied scientists broke the German Enigma code during the Second World War and how, for obvious reasons, they kept quiet about their breakthrough in order to keep successfully intercepting German communications.
“So I think, it’s a little bit false to think that we’re suddenly going to know when it happens,” he says. “It’s going to become apparent at a point in time. There is no Q-Day, as some people like to call it. It’s happening all the time, it’s evolving all the time.”
And while there’s no telling when it’s going to happen, Packman points out how the quantum world has seemingly slowed down in showcasing accomplishments to the public.
“Going back five years ago, every advance anyone made with a quantum computer was published feverishly, and there was this kind of ‘stepping stone’ of build-up,” he says. “That’s all slowed down fairly recently and what that tells me is that those people are getting closer, and people are holding their cards closer to their chest.
“So, I don’t know the answer to the question of ‘when’. But all I can say is the hacking is already happening, the harvesting is already happening and, as they say, the person who actually does do that breakthrough or the nation that does do that breakthrough is not going to broadcast it and certainly not going to do a press release I would imagine.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
