SemiWiki.com - Podcast EP290: Navigating the Shift to Quantum Safe Security with PQShield’s Graeme Hickey
Episode Date: June 6, 2025Dan is joined by Graeme Hickey, vice president of engineering at PQShield. Graeme has over 25 years of experience in the semiconductor industry creating cryptographic IP and security subsystems for se...cure products. Formerly of NXP Semiconductor, he was senior manager of the company’s Secure Hardware Subsystems group responsible… Read More
Transcript
Discussion (0)
Hello, my name is Daniel Nenny, founder of SemiWiki, the open forum for semiconductor
professionals.
Welcome to the Semiconductor Insiders podcast series.
My guest today is Graham Hickey, Vice President of Engineering at PQ Shield.
Graham has over 25 years of experience in the semiconductor industry creating cryptographic
IP and security subsystems for secure products. Formerly of NXP Semiconductor, he was senior
manager of the company's secure hardware subsystems group responsible for developing security and
cryptographic solutions for an expansive range of business lines. Welcome to the podcast, Graham.
for an expansive range of business lines. Welcome to the podcast, Graham.
Thanks Daniel, it's very nice to be here.
Yeah, first can you tell us how you came
to the semiconductor industry?
Yeah, sure, absolutely.
So when I was at university,
I was very interested in semiconductor physics
and I got the opportunity to join
what was Motorola Semiconductor Products back then,
who had many
wave for fabs in Scotland at that point and I joined there and I was working as a
device engineer actually within the Semiconductor fab. So that really
got me into working in the whole semiconductor industry and at that time
Motorola was actually leading the market in smart cards or defining
that market which was one of the market in smart cards or defining that market, which
was one of the first products to introduce cryptography and security. So that kind of
led me into that area. I joined working on those products through testing and product
engineering within semiconductors and eventually starting to get involved in design. And from
there I worked in many different secure
and cryptographic products from companies like Atmel
and Insight Secure and NXP as you mentioned as well.
So yeah, been quite a number of years in seven conductors
but also in the cryptography and security space
specifically.
And what brought you to PQ Shield?
Yeah, so I think they basically I became aware of post quantum cryptography probably maybe six years
ago now. The role I was working in NXP was very central to developing
crypto solutions for many different range of products and PQC was
coming along there so I was very
aware of it and then PQ Shield was on my radar as a small startup you know I
thought that actually sounded quite a cool place to work in a new technology
which was evolving and I got approached by the CEO to join and you know the
opportunity to work at a startup doesn't come along so
often in the semiconductor space so I think it was a good opportunity for me to try something
new in a smaller company but working on new generation of technologies that I had experience
with over the years so I guess that's the background.
Great. So let's get into it. You know, currently the world is coalescing around a five to ten year window to adopt post quantum cryptography, but no two pieces of guidance are exactly the same.
So what timeline should semiconductor manufacturers be working towards for PQC compliance?
semiconductor manufacturers be working towards for PQC compliance?
Yes, interesting. I guess the five to 10 year adoption windows has really been driven a lot by NIST and the CNSA timeline that they've published.
And that's really to give us a timeline for everyone within different use cases
of cryptography to be compliant to PQC. And it's becoming more of a compliance issue than anything to do with
quantum computers within this area.
But in terms of semiconductors, what's critical here is this time scale,
because, you know, as you know, design cycles for large semiconductors
are multi-year, two or three years to develop a large chip.
So really, in order to ensure that these chips are compliant to these post-quantum standards,
they really should be starting to look at the adoption now and to make sure that they're
fully in place for 2030, for example. In some cases, software updates may be possible, but really to have a secure and performant
implementation in a chip, it's important that manufacturers can really start to understand
the implications of these algorithms and how they differ from existing crypto, I think
is a key part.
So in order to really have that in place and be compliant for the types of markets that they want to sell these into
they really should be
having these as part of their roadmap and starting to architect these solutions into the products now.
And at what stage of the transition is the semiconductor market at currently?
I mean, do we need to accelerate this to meet NIST and NSA
deadlines? So yes I would say most cases that has to be accelerated as I'd say
most semiconductor companies are probably still in a discovery and
evaluation phase for PQC. Obviously some companies that have
experience in secure markets for products requiring things like common criteria
will have been looking at this for probably some time.
But a lot of more different application spaces for semiconductors, these companies potentially have just started to look.
And that will be driven by things like the standards which came along and for the new PKC algorithms last year. Many companies will have waited until we have
a final standard from this. But you know that can be considered a starting gun, but it means
that you know these companies now have to go through the process of really understanding
how these solutions fit within their current
architectures, what potentially needs to change to accommodate. So yeah, I do think there probably
is a real need to accelerate the understanding and adoption of these algorithms within
the semiconductor space as a whole. What does good PQC look like for semiconductor conductors today?
I mean you know what will good PQC look like in five years time you know once
the transition deadlines arrive? Yeah so I'd say good right now is probably
having an implementation of the in hardware or in a code design of the standards which were ratified last year.
So that's the MLK, MLDSA, perhaps the SLHDSA signature scheme as well.
So having some sort of acceleration in hardware, some sort of security from implementation attacks such as side channel and fault, you know that you you would be in a good place if you had
this in your design cycle or even about to tape out right now.
I think having those as a hybrid
flexible software hardware co-design is probably prudent as well at this point and given the new nature of these algorithms,
you know, there's always new potential
implementation attacks that come along. So that's probably a good place to be offering
hybrid support which is the combination of classical public key cryptos such as ECC together
with the post quantum schemes is you know would be pretty a good place to be as well. You know, some regions are mandating that as a requirement,
but also having these implementation security
and within these algorithms is good right now.
In terms of five years from now, I think the current schemes
should be pretty mature and, you know and they should be very well adopted across
the majority of SOCs. Secure Boot is becoming mandatory in the majority of applications,
so really having PQC in there as part of the Secure Boot and the platform security would be
security would be mandatory within five years. I think integration into the full infrastructure,
security infrastructure across things like secure
firmware updates and attestation, for example,
would be critical.
And potentially support for other schemes,
the NIST are being open to additional schemes
to kind of spread the risk of these new algorithms.
So there will be additional key encapsulation schemes and digital signature schemes which
are coming along over the next few years as well. So having support for that, you know,
ability to update these potentially over the year would make sense and also potentially in areas such as communications, networking, these types of things,
having offload and acceleration to mitigate the effects of these types of algorithms on the networking traffic
would be critical as well in five years. This is a type of approach that's quite common for classical crypto such as ECC.
So having a similar sort of approach for PQC will really be important to ensure the performance in those types of applications.
Right. So last month, PQ Shield released PQ Platform TrustSys, a root of trust solution for ASIC and FPGA hardware.
a root of trust solution for ASIC and FPGA hardware.
What are the main challenges that manufacturers are facing when migrating hardware
with high security requirements to PQC
and what does the PQ platform TrustSys offer?
Yeah, so TrustSys is a full PQC first,
root of trust that we're developing within PQ Shield.
There are a number of challenges with implementing PQC within a set of SOC. These are probably rooted in the fact that
PQC algorithms are quite different from classical crypto such as ECC. The hardware acceleration,
the memory requirements are usually more in most cases.
And they also bring with them a different style of implementation in terms of the
mathematics which underpin these algorithms. That means you need new implementations or
features to support things like side channel protections, default protections,
and ensuring the performance is adequate for those particular
applications as well. So really we have developed this from the ground up to be coming at it from a
PQC and hybrid perspective and that really provides the user the confidence that they
can have a router trust that meets the needs not only from a hybrid
perspective so with the classical crypto support as well but also going forward and into the
adoption of PQC as is required by the new standards. And what other challenges should
manufacturers expect in the cryptographic transition and what are the most critical use cases for PQC implementation?
I guess in terms of manufacturing for semiconductors, P the software that's used to build the chips,
everything's gonna have to be quantum safe
and comply with the standards.
There'll be obviously a transition period
in which we're going and we're moving
from supporting classical crypto
through potentially a hybrid phase and into the
PQC era. So that will require some education and training for the existing engineers within those
companies to be able to adopt these algorithms. Then they'll have to look at how their entire
infrastructure works, how do their chips ensure platform security,
how do they provide updates over the air,
how are they interacting with other software architectures,
and ensuring that the entire chain is fully trusted
and compliant to these standards.
And so platform security is really critical.
It's probably one of the first
parts that have to be protected in terms of ensuring that we're using PQC signatures to
protect the firmware that's running within the chips for example. We're using PQC compliant or
quantum safe algorithms for you know attest, ensuring the configuration and the validity of
the platforms, for example, as well, is critical. And then also, as I touched on the networking side,
ensuring we've got some sort of quantum secure algorithm running there as well is important.
At the moment, there's the potential harvest now decrypt later attack that's been as widely spoken about,
is something that's applicable to the networking traffic.
So shifting from using a classical crypto key
establishment mechanism to a quantum safe chem
based approach is important as well.
So these are the main areas that we see customers
trying to look at what they need to do in the next,
certainly three to five years.
All right, so last year PQ Shield unveiled
a NIST Ready PQC silicon chip.
How are you using this to develop and test IP?
What evaluations can you carry out using this chip
that weren't possible before?
Yeah, so the test chip was developed
to basically allow us to silicon prove
our platform family of IPs.
So the PQ platform family is all about platform security,
you implement state channel countermeasures within the algorithms to ensure
implementation security of the PQC algorithms when they're running. So obviously we went through a
full pre-silicon emulation process of looking at the implementation of these algorithms, ensuring that our countermeasures are top notch.
A lot of customers really want to see silicon proven IP.
So we took that next step, we developed our own test chip that allowed us to put everything into that chip and then fully validate it.
It's a fully programmable chip so our platform family
of IPs is firm and updatable so that allows us to download new firmware we
can run experiments on this test chip you know looking at different
optimizations you know improving the side channel protection for example
you know optimizations to our firmware we can look at your power
optimizations and all these different types of things.
But really, it's about the validation
and really showing a real proof point
of the capability of PQ Shield
to develop full products within this space.
Great.
Final question, Graham.
How do customers normally engage with PQ Shield?
So we have different ways,
but usually we have a lot of customers
that are kind of in the semiconductor space,
in the security space,
and they want to find solutions to this problem.
So they have maybe existing IP
that they have got from different vendors that provide them security in the classical crypto.
So they're looking to understand how to upgrade that.
So that's maybe some customers that have an awareness of PQC.
Then we also have customers that are coming to us to really learn about PQC and the issue,
understand how it affects their environment and their setup. So we have, you
know, experts at many different levels within PQC. We have
people who work with protocols, people who work on, you know,
pure software versions of primitives, and we have new
hardware experts and security experts. So that allows us to
kind of provide that kind of best
in class support with helping customers really understand what they need to do. And then,
you know, obviously we can then point them towards how our portfolio of IPs can provide a solution
to those problems. So there's a few different angles. It kind of depends on the customer's
So there's a few different angles. It kind of depends on the customer's understanding
of crypto and security in the first instance,
whether we can direct them straight towards a solution
or perhaps they need a little bit of consultancy from us
to help them understand the problem space.
Great conversation, Graham.
Thank you very much for your time today.
You're welcome.
Nice to meet you, Daniel. Thank you very much for your time today. You're welcome. Nice to meet you, Tom. Thank you.
That concludes our podcast. Thank you all for listening and have a great day.