Safeguarding semiconductor IoT security with post-quantum cryptography: Q&A with Crypto Quantique CEO Shahram Mossayebi

Judy Lin, DIGITIMES Asia, Taipei 0


The global trend of cybersecurity legislation development, with the European Union's Cyber Resilience Act (CRA) slated for enforcement in 2024, will impact the IoT ecosystem and require companies to ensure compliance when operating globally.

Shahram Mossayebi, co-founder and CEO of a British cybersecurity startup, is now in Taiwan visiting semiconductor company partners and implementing team expansion in Taiwan. He shared how Crypto Quantique plays a role in securing end-to-end security for IoT devices with an exclusive DIGITIMES Asia interview.

Q: When people think about cyber security, they often only think about the software. But Crypto Quantique's solution includes both the software and hardware. Why is that?

The definition of security can be the confidentiality of the data and integrity of the data in a traditional sense. However, when it comes to IoT devices, there is a security definition transcending the traditional definition because of the use cases. For example, an individual could be driving their car at 100 miles per hour, it could get hacked, and they could crash or die. That means people must include the devices and think about how to secure them as part of their cybersecurity strategy. Therefore, device security should be considered for IoT devices and IoT security. In other words, IoT security starts from the device and then goes all the way through the software. Individuals cannot simply avoid devices, assume they have software security, and think that will be enough to help. That's a new paradigm that the board needs to shift toward, understand, and adjust.

We provide IPs to help companies add security and route of trust to their chips because that's the essential element currently needed to bring and create bridges between the software and the hardware. Given how expensive it is to build and ship chips, and we are based in Europe, investment for these chips is high. Therefore, we are trying to be supportive and build IPs that can be integrated into other systems.

Q: How do you work with semiconductor companies? Do you license your IPs to them?

Absolutely. Yes, we've worked with semiconductor companies and licensing the IP to them. Our partners include ST, Microchip, Macronix, Andes, Renesas, Wurth Elektronik, BT, etc. We will have another announcement coming up next week in Taiwan. We've done some integration with some big names in Japan. It's under NDA, and we cannot disclose the name yet. However, the IP has been integrated into some commercial chips.

Q: Besides IP authorization, you also provide a solution as a service, right? Does that mean that you also provide hardware-included solutions to your customers?

It depends on the customer. As part of our effort to the security ecosystem, we also are partners with some big semiconductor companies such as Intel, ST Microelectronics, Microchip Technology, and Renesas. That means they already have secure MCUs and secure CPUs and GPUs. We build the embedded software for their hardware. If their customers want to quickly set up the whole end-to-end security with one of those MCUs or MPOs, they can get the SDK embedded SDK from us or use the SaaS model. And that allows them to move to a secure solution from their side. We sometimes work with SI and OEM or DMS, and they want to build everything from scratch. So they asked us about which hardware, "Would you recommend which secure element would you recommend?" And so we do that, but the hardware is from the partners.

Q: How do your solutions work to protect IoT cyber security?

Our approach is "zero-trust" and "zero-touch". Zero trust ensures that security measures are continuously applied, reducing the risk of vulnerabilities and unauthorized access. "Zero touch" refers to automating processes in a way that requires minimal manual intervention. In traditional security models, there was a tendency to establish trust once and assume it throughout the device's lifecycle. However, the "zero trust" model challenges this assumption.

In a zero-trust approach, trust is never assumed by default. Instead, each interaction and communication between devices, components, or entities is verified and authenticated independently.

This model is especially crucial in IoT devices, where numerous components may come from different vendors and operate in a diverse and dynamic environment.

In the context of IoT security, zero-touch means automating the provisioning and onboarding of devices without the need for extensive manual configuration or setup.

Devices are designed to securely connect to networks and services without human intervention, reducing the risk of errors and streamlining the deployment process.

This approach is essential for scalability, especially when dealing with a large number of IoT devices that need to be quickly and securely integrated into a network.

Combining "zero-trust" and "zero-touch" principles in IoT security helps ensure that devices are secure by design, minimizing the potential of vulnerabilities and allowing for efficient and automated deployment processes. It's about establishing a continuous and automated security posture throughout the lifecycle of the devices, from initial provisioning to ongoing management.

Q: Your website mentioned using post-quantum cryptography as part of your solution. Since most people are not very familiar with quantum technology or post-quantum cryptography, it would be helpful for you to explain a bit. Why is it important for cybersecurity?

Cryptography is the cornerstone of cybersecurity. Cryptography involves using mathematical algorithms to protect data through encryption, signatures, and safeguarding confidentiality and integrity.

The introduction of quantum computers, specifically Peter Shor's algorithm developed in 1994, posed a potential threat to existing cryptographic algorithms like RSA. Quantum computers can theoretically break these algorithms in a much shorter time than classical computers.

To address this, the cybersecurity community initiated the development of post-quantum cryptography (PQC) to create new cryptographic schemes based on mathematical problems that are hard for quantum computers to solve. The US NIST (National Institute of Standards and Technology) started a standardization process for PQC, inviting global submissions. Some survived rigorous analysis and are expected to become the first PQC standards by the end of 2024.

The transition to PQC involves adopting these algorithms at the hardware and software levels. While it ensures compliance with emerging standards, it also enhances security. However, PQC algorithms can be more resource-intensive, requiring more memory, compute power, energy, and bandwidth, posing challenges for IoT devices.

To address these challenges, we collaborated with the University of Zurich to optimize PQC algorithms for the IoT ecosystem. The goal is to reduce memory and bandwidth requirements, speed up processes on constrained devices, and develop a product for building PQC infrastructure for IoT devices. This effort aims to ensure IoT devices meet the security standards introduced by PQC while addressing the resource constraints inherent in IoT environments.

Q: How big is your team right now? And what is your vision for your company in the next five years?

We are 35 people. We are expanding in Taiwan, and hopefully, in the coming months, we will hire more. Our staff here are more around commercial and support for customers and technical support for customers, but we're also looking into creating an R&D team here. We're growing in Israel and Europe and also in North America. The vision for the next five years is to secure millions and millions of devices. We are well-positioned and have the right partners to build security at the very beginning of the chain. When they get hold of their components or a product, they have security built in by design, can seamlessly adopt the solution, and then focus on generating value from the device or the data produced by the device rather than thinking about how to secure the device. That is what we're pushing for, and we are hopefully looking to or thinking about an IPO around 2029.

Q: What is your funding status? Are you looking for fundraising next year?

Overall, we have raised a little over GBP20 million in the UK. Our main investors are British-based, but we have French and American investors with smaller shares. We also won around EUR5 million in grants for our R&D effort from the European Union, and they see the value that we provide. As a startup that scales, we always look for funding. We are looking to do another round at the end of 2024, most likely pushing it to 2025 depending on how the economy changes. If we see positive changes in the market for fundraising, we can do a round at the end of 2024. Otherwise, we can push it to 2025 as we are looking for another GBP25 million or US$30 million.

Q: What's your scale-up plan? How many people you are planning to hire?

On the software side, we will support the wider ecosystem. For example, we just started supporting the NPU market for embedded Linux devices. There are so many different types of devices that we can support. For us, it will be to put more engineers to build the embedded system and better software layer to help vendors with different hardware appliances connect to our core SaaS model. That amount could easily grow by 200 people, and many of them will be in Taiwan.