(Q&A) “Classical & Quantum Security 2024” by Julian Fay, SENETAS CTO
In the annual meeting of IEEE Thailand section 2024, one of the most interesting topic as a keynote speech is given (online) on the aspects of classical and quantum security—particularly encryption technology. While John Du Bois, a former CEO of Senetas, gives us a CEO's Talk 2024 on November 29, 2024, Julian Fay Senetas CTO cordially answers in details of related stories to Q-Thai forum. Multiples insights from key opinion leader are shown in parallel in this Q-Thai SEM2024 #7. This annual event is good for all technology lovers, entrepreneurs, and specially policy makers who involving with the national security.
The following Q & A session, Q-Thai forum organized in deep, to convey more specific information to audiences regarding “Classical & Quantum Security”. With our updated situations specially on related classical & quantum security in Thailand those raising many important questions, Mr.Julian Fay who has been working in this security industry for many decades, thoroughly provides fantastic answers at below. Let's see what is updated in classical and quantum technology that could secure our IT systems and what are those hypes in the current quantum ICT era !
Q& A session by Pudsadee Purmtummasind and Keattisak Sripimanwat
| Published November 1, 2024 |
Q1: Why post-quantum cryptography (PQC) is highly important compared to the previous classical encryption, what about its market as well as opportunity and risk from your point of view ?
Julian Fay:
Post-Quantum Cryptography (PQC) is crucial for future-proofing digital security as it addresses the looming threat posed by quantum computers. Here are some thoughts on the importance, market opportunities, and risks from both a technology and business standpoint.
1. Importance of Post-Quantum Cryptography:
Classical encryption at risk: Classical encryption methods, particularly those based on asymmetric algorithms like RSA, DSA, and ECC, rely on the difficulty of factoring large numbers or solving discrete logarithms, problems quantum computers could solve efficiently using algorithms like Shor’s algorithm. Once a sufficiently powerful quantum computer exists, it can break these algorithms in minutes, rendering most of today’s encryption obsolete.
PQC’s promise: Post-quantum cryptography focuses on developing algorithms that are resistant to quantum attacks. Unlike quantum cryptography, which relies on quantum mechanics for communication, PQC builds on classical mathematical techniques but in ways that quantum computers cannot easily break (e.g., lattice-based, hash-based, multivariate polynomial-based, and code-based cryptography).
Urgency in migration: Given the potential for “harvest now, decrypt later” attacks, where adversaries store encrypted data to decrypt once quantum computers become available, transitioning to quantum-safe algorithms is essential today, even before large-scale quantum computers exist.
2. Market Opportunities:
Enterprise and government sectors: As the world moves toward PQC, organizations need to update cryptographic infrastructures. This shift creates massive opportunities for cybersecurity companies to provide quantum-resistant solutions to industries like finance, healthcare, and government, where long-term data protection is critical.
IoT and 5G: The proliferation of connected devices and 5G networks increases the urgency for securing these ecosystems. Many devices, such as those in the Internet of Things (IoT), have long lifespans but limited processing power, making lightweight PQC algorithms a new area of product development.
Consulting and migration services: Another significant opportunity lies in helping organizations transition to post-quantum systems. Migration for large organisations may be complex, requiring a transition program to be put in place to first identify and classify quantum vulnerable cryptography and then transition to these new algorithms.
3. Risks and Challenges:
Uncertain timeline for quantum supremacy: One of the primary risks is that the exact timeline for when large-scale quantum computers will be available is still uncertain. This could make businesses hesitate to invest heavily in PQC solutions right now, leading to a slower adoption curve. Early movers could invest in the wrong algorithms or solutions if the quantum computing landscape changes dramatically.
Algorithm maturity: NIST has now standardised the PQC algorithms but they are still relatively young compared to classical algorithms like RSA or ECC. It is possible that some of these algorithms may face unforeseen vulnerabilities or performance challenges, leading to adoption risks.
Compatibility and performance issues: Post-quantum algorithms often have larger key sizes and may require more computational resources, which can strain existing infrastructure, particularly in constrained environments like IoT. This could result in compatibility challenges with current hardware and software solutions, requiring significant investment in upgrading or overhauling infrastructure.
Regulatory risks: Governments and industries have a strong interest in transitioning to quantum-resistant cryptography, but the regulatory environment is still evolving. A company that invests too early may find itself misaligned with eventual standards or facing new compliance hurdles.
Conclusion:
PQC is a critical step toward securing the digital future as quantum computing advances, threatening today’s encryption methods. The shift offers enormous opportunities, particularly for cybersecurity firms, technology providers, and consultants who can help businesses make the transition. However, risks such as uncertain timelines, algorithm maturity, and performance challenges need careful consideration.
From a strategic standpoint, businesses should begin planning for a quantum-safe future, testing PQC solutions, and preparing migration paths to stay ahead in an evolving market. The best approach is likely a hybrid one, combining both classical and post-quantum cryptographic techniques, to ensure resilience against both current and future
Q2: From your experiences working with many national intelligence in ASEAN countries, what about their strength or weakness, are they ready to resist cyber war?
Julian Fay: So I see a few strengths and some challenges:
Southeast Asia is a highly digitalized region with an 80% internet penetration rate and a rapidly growing digital economy. As such, cybersecurity has become an increasing priority, especially given the rise in cybercrime and geopolitical tensions. Between 2021 and 2022, cybercrime surged by 82%, with Singapore, Indonesia, Thailand, and Vietnam being the most frequent targets due to their high digitalization rates.
Strengths:
Digital Readiness: Countries like Singapore and Malaysia have robust national cybersecurity frameworks, strong digital economies, and cutting-edge tech ecosystems. They are better positioned to address cyber threats due to their investment in digital infrastructure and cyber resilience.
Collaborative Efforts: The Association for Southeast Asian Nations (ASEAN) is actively bolstering regional cybersecurity through initiatives such as the ASEAN Cybersecurity Cooperation Strategy (CCS) and cooperation with INTERPOL. These initiatives focus on regional coordination, information sharing, and capacity building, which are critical for countering sophisticated cyberattacks.
Cybercrime Response: ASEAN nations have been working on cyber capacity-building through programs like the ASEAN Cyber Capacity Programme (ACCP) and the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE), which provide crucial training and research capabilities to bolster regional defenses.
Weaknesses:
Varying Levels of Cyber Readiness: While countries like Singapore are highly digitalized with robust cybersecurity, others such as Myanmar, Cambodia, and Laos have poor tech infrastructure, which limits their level of cyber readiness. This creates uneven defenses across the region, making some countries more vulnerable to state-sponsored cyberattacks.
Geopolitical Targeting: ASEAN countries, especially those with high digital penetration, are increasingly targeted by state-linked cyber attackers, particularly from China. These attacks often aim to steal sensitive government data, which underscores the need for stronger defense mechanisms in intelligence and national security domains.
Fragmented Cybersecurity Approach: Although ASEAN is making strides in coordination, the fragmented nature of cybersecurity capabilities in the region limits the effectiveness of a unified defense. Further integration and a cohesive regional CERT (Computer Emergency Response Team) could improve response times and threat mitigation across borders.
In conclusion, ASEAN intelligence agencies are making progress in building a cybersecurity defense framework, but challenges persist due to the uneven digital capabilities of member states. ASEAN’s efforts to enhance information sharing, capacity building, and the establishment of a regional CERT are crucial steps toward improving the region’s overall resilience to cyber warfare.
In summary, while national intelligence agencies in ASEAN are progressing in their cybersecurity efforts, significant work remains.
Q3: Moving from classical to quantum ICT, about Y2K vs Y2Q and with those quotes from CEO's Talk 2024 on “reasonable expectations vs techno-hype/ PR move ?” Please elaborate more.
Julian Fay: The transition from classical to quantum ICT is going to be a transformative journey with both technical challenges and socio-economic impacts, akin in some ways to the Y2K (Year 2000) challenge but far more complex and drawn out. In the context of Y2Q (Year to Quantum), this transition focuses on preparing for the moment when quantum computers become powerful enough to break classical cryptographic systems, which could jeopardize global communications and data security.
Y2K Context:
Y2K was essentially a coding issue. Older software stored the year in two digits, leading to fears that systems would interpret “00” as 1900 instead of 2000, causing errors in everything from financial systems to power grids. It was a known, date-specific problem that organizations worldwide worked to resolve before January 1, 2000. Y2K ended up being more of a logistical and preparatory challenge than a technological breakthrough, although it did create a global moment of urgency.
Y2Q Context:
Y2Q (the time when quantum computers will be able to break classical encryption algorithms like RSA) is more uncertain and multifaceted. Unlike Y2K, Y2Q does not have a fixed date. Quantum computers are still under development, and while we can expect them to mature in the next decade, we can’t pinpoint the exact year they’ll become a significant threat to classical encryption. Y2Q represents an evolving challenge in cryptography, requiring both immediate and long-term investments to protect sensitive data from quantum threats.
Key Differences:
Predictability: Y2K was a predictable, date-driven issue that could be fixed with known solutions. Y2Q is less predictable, and its timeline is contingent on technological advances in quantum computing, making preparedness more complex.
Scope: Y2K primarily affected legacy systems with specific date-related issues, while Y2Q involves the global overhaul of cryptographic systems used in practically all modern digital communications.
Impact: The failure to address Y2K could have led to temporary disruptions, but the consequences of unpreparedness for Y2Q could be far more severe, with potential breaches of critical infrastructure, military communication, and financial systems on a global scale.
Response Time: The Y2K problem had a fixed deadline, whereas Y2Q is a moving target, making it more difficult to mobilize a global response in time. Data encrypted today using vulnerable algorithms may already be compromised if it is harvested now and decrypted once quantum computers become available.
Reasonable Expectations vs. Techno-Hype:
The conversation surrounding quantum computing—and, by extension, Y2Q—has been filled with both genuine breakthroughs and speculative hype.
Reasonable Expectations:
Gradual Transition: Quantum computing will not suddenly render all classical systems obsolete. The transition to quantum-safe cryptography will be gradual, with hybrid solutions (supporting both classical and quantum-resistant cryptography) playing a key role in the interim.
Niche Applications: Early quantum computers are likely to be used for specialized tasks, such as optimization problems in logistics, material science, and drug discovery. They will initially operate in tandem with classical systems rather than completely replacing them.
Preparation for Long-Term Data Security: One of the most critical and reasonable expectations for quantum computing is the need to protect long-term sensitive data. Even if quantum computers that can break RSA or ECC encryption are a decade away, attackers may already be storing encrypted data today in anticipation of breaking it in the future. Therefore, transitioning to quantum-resistant cryptography is not just a precaution but an urgent necessity.
Techno-Hype / PR Moves:
Quantum Supremacy Confusion: The term “quantum supremacy,” popularized when Google achieved a specific quantum computing feat in 2019, is often misinterpreted as quantum computers being superior to classical computers in every aspect. In reality, we are still far from that point. PR around quantum supremacy can create inflated expectations that quantum computers will quickly solve major global problems, which is far from the current state of technology.
Premature Commercialization Claims: Some companies may claim to have “quantum solutions” for cybersecurity or data encryption that sound promising but are more marketing buzzwords than actual quantum-safe implementations. Genuine quantum-safe cryptography needs to be based on rigorously tested algorithms, such as those standardized by NIST. Claims of “quantum-ready” products should be viewed with caution, as many are not yet fully vetted.
Underestimating Implementation Challenges: Transitioning to quantum-resistant cryptography will be a monumental task, particularly for industries like finance, healthcare, and critical infrastructure. PR moves that suggest quick fixes or understate the cost and complexity of implementation can be misleading. The true shift will involve significant re-engineering of hardware and software systems, retraining staff, and long-term operational changes.
In conclusion, Y2Q is a far more complex and uncertain process compared to Y2K. It will require sustained effort, long-term planning, and realistic expectations about what quantum computing can and cannot deliver in the near future. Organizations must balance the urgency of adopting quantum-safe solutions with caution against hype and premature claims.
Q4: John (former Sentas’s CEO) mentioned “QKD (quantum key distribution or quantum cryptography) needs its own infrastructure”. That coincides with the real life condition where specific “quantum key channel” via optical fiber or quantum satellite is not welcomed by any regular ICT infrastructure. And while many leading firms for information security, National Cyber Security Centre - UK 2018, NSA National Security Agency - US 2020, Agence nationale de la sécurité des systèmes d’information - France 2022, and Federal Office for Information Security - Germany 2022, did not recommend QKD, however a giant Japanese company made an announcement of anticipation about its market will reach $12B in 2030 ! They will also have 25% market share. What is exactly going on in your opinion ?
Julian Fay: The situation around Quantum Key Distribution (QKD) reflects both the technical realities and the strategic business moves of various players in the global cybersecurity market. There is a divergence between the cautious approach taken by leading national cybersecurity agencies and the optimistic forecasts by some corporations, particularly in Japan. Here’s a breakdown of what’s happening:
1. Technical and Practical Limitations of QKD:
QKD, while theoretically secure under the principles of quantum mechanics, faces significant challenges in real-world implementation:
Dedicated Infrastructure: As you noted, QKD requires a specialized “quantum channel,” typically via optical fiber or satellite, which is incompatible with most existing ICT infrastructure. This limits its practicality in widespread use. Upgrading or building entirely new infrastructure for QKD is expensive and challenging.
Distance Limitations: Optical fiber-based QKD systems face distance limitations due to the degradation of quantum signals over long distances. While satellite-based QKD can cover larger areas, it is still experimental and involves high costs.
Limited Use Cases: QKD currently only addresses key distribution, not general encryption or broader cryptographic systems. This limits its role to specific niche applications where ultra-high security is necessary and where the costs and infrastructure challenges can be justified.
There are also questions around the security of QKD which unlike mathematical algorithms may be tied to the physical properties of the QKD system eg a photon source.
Given these hurdles, agencies like the UK’s National Cyber Security Centre (NCSC), NSA, ANSSI (France), and Germany’s BSI have advised against QKD in favour of quantum-resistant algorithms that don’t require specialized infrastructure. These algorithms offer a more pragmatic approach to quantum-safe encryption because they can be deployed on existing networks.
2. Business Strategy and Market Optimism:
On the other hand, large companies, particularly in Japan, are investing heavily in QKD and making bold market forecasts. The prediction that the QKD market will reach $12 billion by 2030, with 25% market share for a single company, is an example of this optimism.
Why?
First-Mover Advantage: Companies may be betting on securing an early lead in QKD technology, hoping that it will eventually become mainstream, especially in highly sensitive sectors like government, military, and finance. These sectors might be willing to pay a premium for the absolute security promised by QKD, even if the infrastructure investment is significant.
Geopolitical and National Interests: Japan, like some other countries, sees quantum technologies as a strategic priority. Investing in QKD could be part of a broader national push to lead in quantum technologies. The Japanese government has been actively supporting research and development in quantum technologies, viewing it as essential for both economic growth and national security.
Specialized Use Cases: Even though QKD may not be suited for general ICT infrastructure, there are specific use cases where it could be highly valuable. For example, in government communications, defense, financial transactions, and critical infrastructure, QKD could be seen as a worthwhile investment to ensure the highest level of security.
Market Differentiation: By investing in QKD, companies may be positioning themselves as leaders in quantum security, which could create a competitive advantage in specific markets, especially as organizations become more concerned about quantum threats. This could drive demand, particularly from clients who need to future-proof their security for the next 10–20 years.
The split between cautious government agencies and optimistic corporate forecasts can be understood through the lens of practicality versus market strategy. While QKD faces significant hurdles in scalability, cost, and infrastructure, companies with deep investments in quantum technologies are betting on the long-term potential of this market, especially for specialized sectors that require extreme levels of security. Meanwhile, governments and broader ICT markets are favoring quantum-resistant cryptography, which offers a more immediate, practical, and scalable solution.
This divergence will likely continue, with QKD carving out a niche in ultra-sensitive sectors, while post-quantum cryptography gains traction for more widespread use.
Q5: QKD has been renamed and roaming for any possible market, from Quantum Key Distribution (QKD - 1984) through Quantum Safe Security (2020), and to Quantum-Safe-as-a-Service (QSaaS - (2023). Also, its popular rhetorics as “unhackable” “100% secured” “using for nuclear power plant, electricity grid network, financial infrastructure, and etc”, have been promoting amazingly for many decades ?
But on another side of the same coin there are many important quotes for examples, QKD “seems like a solution to a problem that we don’t really have” or “boutique security product”, and John (former Senetas’s CEO) also mentioned “No one will buy quantum encryption except in R&D”. People from outside of this industry are definitely confused !
So, what did you really gain from involving with that hybrid classical & quantum encryption tech in the past, what business that you unlocked or please suggest those two sides of this QKD coin ?
Julian Fay: You’re absolutely right that QKD (Quantum Key Distribution) has undergone rebranding and marketing over the years, from its early promise as an “unhackable” security solution to its latest iteration as Quantum-Safe-as-a-Service (QSaaS). This trajectory reflects both the genuine advancements in quantum cryptography and the market’s search for real-world use cases to justify its development.
Two Sides of the QKD Coin:
1. The Optimistic Side – QKD’s Potential and Market Promise:
On the surface, QKD’s promise is enticing. Its key selling points include:
Unhackable Security: QKD is theoretically secure due to the laws of quantum mechanics. The principle that any interception of quantum key exchanges would immediately be detected has led to its description as “unhackable” and “100% secure.” For industries where security is paramount—such as defense, nuclear energy, and financial infrastructures—this promise is highly appealing.
Growing Quantum Threat: With the rise of quantum computing, the threat of breaking classical cryptographic systems (RSA, ECC) has grown more real. QKD positions itself as a future-proof solution, appealing to organizations looking to protect sensitive data in a post-quantum world.
Prestigious Applications: QKD is often mentioned in the context of protecting high-value infrastructure like nuclear power plants, government communications, and critical national systems. This creates a perception that QKD is at the cutting edge of cybersecurity technology, fueling interest from enterprises that want to be seen as investing in the latest and most secure technologies.
Quantum-Safe-as-a-Service (QSaaS): This rebranding is an effort to make QKD more accessible. By offering it as a service, firms are trying to lower the barriers to adoption, targeting sectors like finance, healthcare, and cloud services. It aligns with the broader trend of everything moving to “as-a-service” models, which makes security services easier to scale and implement without large upfront investments.
2. The Skeptical Side – QKD’s Real-World Limitations:
Despite the hype, QKD’s real-world applicability and necessity have faced significant scrutiny:
Overhyped Rhetoric: Terms like “unhackable” and “100% secure” are marketing language that oversimplifies the true nature of cybersecurity. No system is absolutely secure. While QKD may be theoretically resistant to direct hacking, it still relies on other components (classical cryptographic layers, hardware, and software) that are vulnerable. QKD can protect the transmission of keys, but the endpoints and surrounding infrastructure are still subject to attacks.
A Solution Without a Problem?: Critics argue that current classical cryptographic methods, when implemented correctly, already provide sufficient security for most applications. The focus on QKD as a “quantum-safe” solution may be premature since the timeline for quantum computers capable of breaking classical encryption is still uncertain.
Boutique Product: Given its high cost and specialized infrastructure requirements (optical fibers or satellites), QKD has been labeled a “boutique security product.” It may make sense for a limited set of use cases (like securing national defense communications), but for most businesses, the cost and complexity outweigh the benefits.
Cautious Adoption: As I mentioned earlier, national cybersecurity agencies in countries like the UK, US, France, and Germany have chosen not to recommend QKD widely. This cautious stance reflects a broader industry skepticism about whether the technology can scale or become cost-effective for mainstream use.
My Experience and Lessons Learned from Hybrid Classical & Quantum Encryption:
Having been involved with hybrid classical and quantum encryption technologies, I’ve learned valuable lessons about how these two paradigms can coexist and where they make sense:
Complementary, Not Replacement: In practice, quantum encryption works best when integrated with classical cryptography. Hybrid systems provide a “best of both worlds” approach, using classical cryptography for broad applications and quantum-based techniques like QKD for highly sensitive, niche use cases.
Practical Constraints: When working with quantum cryptography, the practical constraints are always front and center. The infrastructure demands (quantum channels, specialized hardware), the cost, and the performance overhead make it clear that QKD won’t replace classical cryptography anytime soon. Instead, it’s more of a highly specialized tool.
Business Unlocks: The business unlocks I’ve seen have been in research and development (R&D), critical infrastructure, and government use cases where quantum technologies are being tested for long-term viability. These are scenarios where security cannot be compromised, and the investment in quantum technologies is justified. But for most enterprises, classical encryption remains the more viable and cost-effective choice.
Perception vs. Reality: There’s a significant gap between what’s possible with quantum encryption and how it’s marketed. From a business perspective, one of the biggest lessons is managing expectations—both internally and externally. Involving decision-makers early and being transparent about the technology’s limitations helps navigate the hype and steer investments in the right direction.
What’s Really Going On:
The confusion and dual narratives around QKD—hype vs. skepticism—stem from the tension between cutting-edge technology and market realities:
Companies Are Betting on the Future: Some firms, particularly in Japan and China, are betting that QKD will eventually become viable on a larger scale as quantum technologies advance. They are investing early to gain market share, positioning themselves as leaders in quantum security for when quantum computing becomes a greater threat.
Agencies Are Hedging Their Bets: Government cybersecurity agencies, on the other hand, are playing a long game. They recognize that quantum-safe cryptography (post-quantum algorithms) offers a more practical solution in the near term. These algorithms can be implemented on existing infrastructure without the need for specialized quantum hardware.
Market Demand Is Uncertain: Much of QKD’s promotion is driven by the fear of quantum computing’s potential to break classical encryption. However, widespread adoption will likely remain niche unless the infrastructure costs decrease and the technology becomes easier to integrate into existing systems.
Conclusion: Two Sides of the QKD Coin
QKD sits at the intersection of genuine innovation and significant practical limitations. On one side, it promises the highest level of security for critical infrastructures and offers long-term protection against quantum threats. On the other, it’s a boutique solution with high costs, limited scalability, and technical challenges that make it impractical for widespread use.
The future of QKD lies in finding its niche markets—primarily in government, defense, and critical national infrastructure—while the broader cybersecurity industry continues to evolve toward post-quantum cryptography solutions that are more cost-effective and scalable for general use.
For those involved in cybersecurity, the key is to stay grounded in reality—understand what QKD can do, where it fits, and not get carried away by the promises of “unhackable” rhetoric. At the same time, it’s important to remain open to new developments, as quantum technologies will undoubtedly continue to evolve and potentially reshape the security landscape over the coming decades.
Q6: Recently in Thailand, QKD has been promoting as a tie-in selling tech into the national infrastructure. Use cases in the middle east claiming that QKD protecting the power grid network, is referred. With your kind suggestion, what message you shall deliver to both, that QKD seller and the executives of Thai electricity authorities ?
Julian Fay: I think it’s crucial to provide a balanced message that acknowledges the potential of QKD while addressing the practical challenges and realities of integrating it into national infrastructure, particularly in the energy sector.
Message to the QKD Sellers:
Honesty and Transparency About Capabilities:
๐ Avoid Overselling: While QKD offers unique advantages, it’s important not to market it as a silver bullet. Terms like “unhackable” or “100% secure” can create unrealistic expectations.
๐ Emphasize the Complementary Role of QKD: Highlight that QKD should be viewed as an additional layer in the overall security strategy, working alongside classical cryptographic methods rather than replacing them.
Clarify Infrastructure Requirements and Costs:
๐ Highlight Infrastructure Needs: Explain that QKD requires a dedicated quantum channel, which may necessitate significant upgrades to existing communication infrastructure.
๐ Promote Viability for High-Sensitivity Use Cases: Rather than positioning QKD as a universal solution, focus on specific, high-security scenarios where its value is highest—such as securing communications between control centres and critical nodes in the power grid, where data interception could have catastrophic consequences.
Demonstrate Real-World Success Stories:
๐ Provide Proven Use Cases: It’s crucial to back up these claims with data. Show how QKD has enhanced security, reduced risk, and integrated with existing systems in these projects. The Thai electricity authorities will need evidence that QKD delivers tangible benefits, not just theoretical security.
๐ Position as a Future-Proof Investment: Emphasize that QKD, while demanding an upfront investment, can be part of a future-proof security strategy to protect against quantum threats that may arise in the next decade.
Message to the Executives of Thai Electricity Authorities:
Balance Security with Practicality:
๐ Understand the Value of QKD but Consider It in Context: While QKD offers a level of security theoretically impervious to quantum attacks, it is just one piece of the overall cybersecurity puzzle. Emphasize that protecting a power grid requires a multi-layered approach that includes classical encryption, secure network architecture, and advanced monitoring.
๐ Evaluate Infrastructure Readiness: Assess whether the national grid’s current communication infrastructure can support QKD. Significant upgrades may be needed to accommodate the quantum channels, and this cost should be weighed against the additional security QKD provides.
Focus on Cost-Benefit Analysis: