Quantum computers will change the cybersecurity threats that businesses face, but CyberTech 100 Listed PQShield is stepping up to ensure companies stay ahead of the curve.
Doctor Ali El Kaafarani is trying to make companies safe from the future digital threats posed by quantum computers through PQShield, the cybersecurity startup he is the founder and CEO of.
Back in 2015, El Kaafarani became painfully aware of just how badly businesses cut it when it came to their digital defences. He had just finished a stint with Hewlett Packard Labs and had seen first-hand how businesses were fighting back waves of hack attacks. Yet, when he returned to the University of Oxford’s Mathematical Institute as a research fellow it became clear to him that companies were not doing enough. Not even close. “It was shocking, really,” says El Kaafarani. “The industry is like ten, 15 years behind what academics are saying about broken schemes or things that will go wrong.”
The way he saw it, a lot of businesses had simply adopted an attitude of patching their digital defences when they absolutely needed it, thinking that it would cost too much to give their cybersecurity a complete overhaul. “They just left it until the last minute and when things went wrong, then they said ‘okay, let’s change it,’” El Kaafarani says. While this might have worked for businesses in the past, the tech world is set for a massive paradigm shift.
Quantum computers will change everything. The idea behind the technology has been around since the 1980s. Rather than using only the traditional zeroes and ones, these computers would also use quantum bits, or qubits, when they process programs. Qubits can represent zeroes and ones at the same time in a state called superposition. What that means is that these machines will be able to crunch computational problems at a fraction of the time it would take any other device that has come before it, in some cases slashing billions of years of processing time into minutes. This could result in a significant cybersecurity threat for companies running on old software. Simply put, it means that the encryption many businesses use to keep their systems safe could be cracked really easy with a quantum computer.
Tech giants like IBM and Google as well as governmental bodies around the world are working on creating the first quantum computer. “Everyone wants to win this race,” says El Kaafarani. While the technology has yet to materialise, it is on the way. In 2015, about the time that he had joined the University of Oxford, the US National Security Agency issued a public warning that quantum computers were inbound and that organisations better get their ducks in a row or risk suffering seeing their security compromised in a not too distant future. “So at that point, it was clear that the risk is real,” he continues. “And since cryptography is all about mitigating the risk, there’s no logical reason to not to be ready for the quantum era.”
El Kaafarani’s first project at the University of Oxford was leading a post-quantum cryptography project. About a year into the project, they realised that the project would work better as a commercial enterprise. “At the math departments, you want to hire PhD students or postdocs, which is fun, but that’s not how we can build a product,” he remembers. “If you want to build a product, you have to hire practitioners who have been doing this for years. And that’s when the idea became clear in my head that we should spin out from the University of Oxford [and launch] a startup specialised in post-quantum crypto.
Not resting on his laurels, El Kaafarani launched PQShield in May 2018. A few months later, the company’s first engineer joined the budding business. The company now employs about a dozen workers. “So a bunch of bright minds and brilliant cryptographers who are actually the designers of a bunch of schemes that are being standardised at NIST (National Institute of Standards and Technology),” he says. “We have people who really know what they’re talking about when they talk about the standardisation process because they are heavily involved in this standardisation process.”
Backed by this impressive team and the financial support of angel investors, Oxford Sciences Innovation (OSI), Kindred Capital, and Crane, the company set out on its journey. El Kaafarani also hints that more news about additional funding might be in the pipeline.
Of course, a company is all about the products. The team started off by looking at what the biggest risks were. It became clear to them that most quantum attacks would happen in retrospect. What that meant was that hackers may be able to harvest secure data today, but that this encrypted information would
just read like complete gibberish until they got their hands on a quantum computer. When that happens, which El Kaafarani believes could be in the next decade, the confidential data could be compromised. “We wanted to solve that challenge,” he says.
The startup provides quantum-secure cryptographic solutions for software, both software and hardware co-design and data in transit. The hardware solutions are designed around RISC-V architecture and completely built in house. RISC-V is an open standard instruction set architecture based on established reduced instruction set computer principles available through open source. The solution can bridge the gap between legacy systems and post-quantum systems. The idea is that the company will license the design of the chips to people producing the hardware. PQShield also offers implementations of post-quantum primitives and a software development toolkit for enabling ‘data in transit’ messaging solutions using post-quantum algorithms, leveraging a new, provably secure, Signal-derived protocol.
But having tools on offer isn’t enough, PQShield also had to convince prospective clients that they actually needed the solution. This proved a bigger challenge than expected. “We don’t have quantum computers yet, so why should they care?” El Kaafarani says a lot of potential clients seem to think. When faced with that argument, the PQShield team try to explain that while quantum computers are some time off, bad actors can already harvest encrypted data now. When the technology does arrive, it’s just a matter of time before they can decrypt that data. In other words, sceptical clients must be certain that their privacy policies and the legislation that they must comply with do not say that they have to keep the data secure for three, five, ten years or however long it will take to launch a quantum computer. Yet, given NIST published another whitepaper in late May 2020 that offered an updated roadmap on how companies can prepare for the oncoming paradigm shift, it’s clear that there are reasons to take the cybersecurity risks of quantum computers seriously.
El Kaafarani compares it with having car insurance. “If you don’t drive a car and you never get into the car, then you don’t need car insurance to help you if you have an accident,” he says. “But when you have a car you need insurance. This doesn’t mean that the accident should happen tomorrow. But this means that or there is a chance that this might happen. With quantum computing, it’s even worse, we now know that it’s happening soon, we just don’t know exactly when”
At the moment, PQShield is at the beginning of its commercialisation journey and El Kaafarani hints that it is soon going to announce the first big customer in the OEM world. Yet, while the company’s journey is just getting started, it’s safe to say that the future has already arrived for PQShield.