Post-Quantum’s Andersen Cheng on EY and PQC
Post-Quantum, a London-based post-quantum cryptography company, recently announced the professional services giant EY is adopting its PQC solutions, including Hybrid PQ VPN, the Nomidio quantum-ready cloud service with biometric authentication capabilities, and PQ Chat, a quantum-safe mobile messaging app.
Andersen Cheng, Executive Chairman and Founder of Post-Quantum, and a speaker at IQT events, engaged in an email Q&A with IQT to talk more about the EY relationship and the importance of bringing different kinds of solutions forward to help build out the quantum-safe ecosystem. Below is an edited version of that Q&A.
IQT: Will most customers need all of three of the solutions EY is adopting?
Andersen Cheng: Since every system using public key cryptography is vulnerable, an entirely new quantum-safe ecosystem is required if one wants a true quantum-safe end-to-end platform. Even before the arrival of a functioning quantum computer, all businesses need protection against Harvest Now, Decrypt Later attacks right now. We would expect that most businesses will need the Hybrid PQ VPN and our quantum-ready Nomidio ID as a minimum, with PQ Chat to be deployed depending on the nature of an organization’s communication requirements.
Generally the Hybrid PQ VPN will protect all data in transit from attack by quantum computers on its own, however, this will count for nothing if your point of access is weak. For instance, if you have a weak password or biometric authentication that is vulnerable to deepfake technology, it won’t matter how secure your ‘pipes’ are, because bad actors will be able to access your account to gain entry..
When our quantum-safe PQ chat was first released it was available on the app stores for widespread use. However, soon after we chose to delist it as it was so secure that it had become a recommended tool for ISIS! Now we provide it on a limited basis to approved organizations for secure messaging. Again, this solution can be further enhanced with a secure identity infrastructure such as Nomidio.
IQT: Do these solutions use the algorithms being standardized by NIST and/or others as well?
AC: Although NIST has come up with its first standards, global standardization is far from being uniform. NIST for example has standardized Kyber as its new encryption standard, the German and Dutch governments have endorsed our Classic McEliece instead. Adding to the confusion, we are also in the process of working with an enterprise which will need to use their own country’s endorsed algorithm.
The answer is very simple: if no one can adopt a single standard in the world, the only solution you have is to practice crypto agility in order to enable interoperability. We have been preaching and practicing this hybridization approach for a number of years now as it is the only way you can communicate with users in different countries. Moreover, you need to ensure backward compatibility to enable a smooth transition from the current algorithms to the future ones.
IQT: How significant is gaining EY as a customer? Is this one of your biggest customers or deployments thus far?
AC: EY is one of the largest consulting firms in the world, and the potential to sell to their many clients is as exciting as EY being a customer. We have a number of other deployments in both the public and private sectors, but we’re unable to discuss many of them.
IQT: How will EY’s use of your solutions and its belief in the value of PQC influence organizations who are still considering what to do about the quantum threat?
AC: EY has long understood quantum computing and its various impacts, including cyber security. The company also offers quantum consulting services, and will now have our products available to deploy across the many businesses which they advise, while being able to point to themselves as a current user when pitching to any new clients. Indeed, other consulting firms have realized the US Quantum Computing Cybersecurity Preparedness Act is going to generate multi-year, multi-billion dollar quantum migration opportunities, and they are rapidly re-gearing their practices to cater for this legislated and guaranteed demand.
IQT: Can you talk more about the process of working with EY?
AC: Working with an organization such as EY does not happen overnight and it was a long process from the initial dialogue, to prioritization, scoping, testing, deployment, joint-pitching, etc. Conversely, the one aspect which took no time at all was our product evaluation, as our credentials were all in the public domain for all to verify, especially in this deep tech sector that not many people are equipped to evaluate similar solutions.
Apart from our NIST submission being in Round 4 currently, we also authorized the hybrid PQ VPN protocol which is now being standardized by the Internet Engineering Task Force (IETF). We were also fortunate that we have worked with NATO for a number of years and they already trialed and tested our VPN and published our findings a couple of years ago.
Dan O’Shea has covered telecommunications and related topics including semiconductors, sensors, retail systems, digital payments and quantum computing/technology for over 25 years.