CEO interview: Quantum security for the real world
尽管这个名字,密码Quantique并不实际about quantum encryption. But it is about security, and is gaining traction in the semiconductor industry and the Internet of Things (IoT). Instead it is about a hybrid, end to end model, Dr Shahram Mossayebi, CEO and founder tells eeNews Europe.
“We want to address the trust issue in the supply chain,” said Mossayebi.
“One of the challenges is that industry looks at security as a cost but all the companies looking at Industry 4.0 are not connecting thig to the Internet because they are afraid of cyber attacks, The pandemic showed us that if you had a connected production line you could work through the pandemic so it’s not a cost, it’s an enabler for new industries. There’s still a lot of work to be done on security, it’s not just protection, it’s a way into new markets with more autonomy and more flexibility in how you do things,” he said.
“Things are changing – a lot of big names understand the complexities of the security solutions put there and understand having something that’s easy to use is vital,” he said. “We are doing that job for them, the proof of concept, we package it and give it to field engineers to quickly set up customers.
“Suddenly in the last six months everyone is talking about the root of trust. They are coming to us asking for root of trust and cloud connectivity. People look at chips as a commodity and don’t understand how important they are. Somehow people forget about that. Now with AI and machine learning people are looking at semiconductors,” he said.
Next: Renesas quantum deal
All of this has led to a combination of analogue IP and software to provide end-to-end security embedded in a microcontroller that is easy for developers to use. The software is now being used by Renesas for its microcontrollers.
“This goes back to my mixed academic background, a combination of physics and software development around the dot com boom, storing secrets inpublic databases and that was a fascinating area for me. I did a masters at Royal Holloway on cryptography and in 2008 the EU was doing this big project on quantum cryptography and that for me was destiny,” said Mossayebi.
“During my PhD I did a lot of more cryptography and security analysis and looked atlot of quantum computing. That gave me a view in 2015 in understanding the best elements of each world for a hybrid model rather than just full quantum crypto or modern cryptography
“Working as a cybersecurity consultant, the first problem was Key distribution ad key management for an SME and that’s where quantum technology could excel.
He was part of a startup accelerator in London in 2016 when the Mirtai botnet was attacking embedded systems in the Internet of Things (IOT) around the world.
“We were studying those attacks, learning the IoT system and realising you need end to end security,” he said. “Going lower and lower, you needed a key management system for connected devices to achieve the other layers of security and that got me thinking about using quantum technology that provides crypto keys inside each device and use modern crypto to distribute those credentials in a wider system to protect ourselves.
“The quantum element in our case is we wanted to use an element with reliability, high entropy, high reliability and build something from scratch that could be secure from side channel attacks.
The biggest challenge with quantum technology is ability to integrate it into existing devices. “I didn’t want to solve a big issue in 50 years or even in 10 years but exploit the benefit of quantum technology to solve a big problem right now.
“We could not build something right now so we compromised and looked at the other ways. There is quantum tunnelling and industry looks at it as a parasitic – it’s a grey area between quantum and classical physics so we exploit quantum tunnelling in CMOS and it gives us some advantages
The underlying concept is the same as a PUF [physically unclonable function] that is used to generate the seed for an encryption key from the variations in the SRAM memory in a chip.
“PUF是由电子工程师去剥削t variability for cryptography,” he said. “From a crypto point of view, not everything random can be used for crpyto. Yes, PUF is good to have but what we believe that’s not enough. It only relies on quantum tunnelling behaviour, the only variable is the thickness of the tunnelling barrier and the way it is designed allows side channel attacks. For example the SRAM can be manipulated with optical inspection, there can be a residue of data in the memory, there’s all sorts of attacks.
“Instead we are relying on the atomic variability ofCMOS where we compare quantum tunneling currents so we build circuits with femtoamp currents with very high resolution. This means we can generate multiple uncorrelated seeds rather than just one with an SRAM.”
Next: Quantum tunnelling implementation
Then there is the implementation.
“Security is complicated for end users and they don’t have the expertise and vendors are expecting them to do a lot themselves via a set to APIs. So something else we want to achieve is to provide seamless security on either side, the semiconductor companies and the OEMs that are using the technology.
So Mossayebi has built hardware called QDID and software infrastructure called QuarkLink.
The underlying tech is a lot of quantum physics and crypto maths but the application we have built is super simple to use,” he said. “Whatever we build has to drop into a secure microcontroller and connect to the APB bus, you don’t need to know anything about quantum physics. On the software side our QuarkLink takes care of the conditional access, the physical key infrastructure and the rest of the cryptographic infrastructure. If you have QuarkLink in the microcontroller then you have the flow in the supply chain without the need for key injection or other infrastructure. You don’t need to trust anyone in the supply chain
“At the application level we push hard to make everything is as automated and simple as possible,” he said. “The only party you need to trust is the silicon vendor.”
“We have gone through hell to build QuarkLink as agnostic so we had to build a mini certificate authority inside it. It took three years to build and users can run it on premises, in the cloud, wherever they want, and neither the cloud vendor or the silicon vendor will know any of their keys, and you can connect to any cloud provider simultaneously.”
“QDID is an analogue IP so we need to prove it on each process node and we need the PDK, and we have good relationships with the two big foundries, otherwise it’s a three way NDA.
“When we started we worked closely with GlobalFoundries,” he said. “Quantum tunnelling is a parasitic and there’s not much information about that in the process and GF engineers did specific tests for us with specific data and that helped us to design the IP. Now with a normal PDK we can connect with the fab. This was at 55/65nm and we are now working with 22nm and we don’t see any problem porting to lower nodes.”
Next: Technology sovereignty in quantum
For Mossayebi is it vital to have this capability in Europe. “To me that is a foundational technology you need to have and have full control over and not let a third party have control,” he said. “Europe needs to make sure it has some leverage to make sure there is access to the supply otherwise its lost. “
“这是very tricky,” he said. “There’s securing the supply chain, then there’s the security of the devices you buy. That’s another challenge. There’s so much trust in the producers of the ASIC from IP to the technical security issues and then the economic issues of the supply.I don’t understand where Europe has the leverage with TSMC or Samsung to make sure they have the supply of chips, or they need to build that in Europe.”
He sees quantum technology as a key opportunity for the region.
“I would separate the investment in quantum computing from the semiconductor industry,” he said. “CMOS and silicon will be around for the next 50 to 60 years if not more. I would take a page from how the UK went about the Covid-19 vaccines and invest in multiple startups – Europe needs to make meaningful investment in other parts of the world already doing semiconductors so they have more control of the supply chain.
“In quantum there definitely needs to be investment and the main focus is on hardware but you need the quantum algorithms so the investment needs to go onto quantum software and the good thing about that is some of those algorithms can be run today on quantum emulators with massive cloud systems without having a quantum computer – I would see more value in working on quantum algorithms.”
He points to the GDPR privacy and data legislation as key opportunity.
“Europe has power in what can be used in Europe as a connected device and that could push US and Chinese companies to comply as these are harnessing data so I think EU legislation could be very powerful.”
Related articles
- SRAM PUF-based key provisioning system to secure IoT
- Maxim develops its own PUF security technology
- Xilinx添加PUF Zynq设备的安全
Other articles on eeNews Europe
