SemiWiki.com - Podcast EP304: PQC Standards One Year On: The Semiconductor Industry’s Next Move

Episode Date: August 22, 2025

Dan is joined by Ben Packman, Chief Strategy Officer of PQShield. Ben leads global expansion through sales and partner growth across multiple vertical markets, alongside taking a lead role in briefing... both government and the supply chain on the quantum threat. He has 30 years of experience in technology, health, media, and telecom,… Read More

Transcript
Discussion (0)
Starting point is 00:00:00 Hello, my name is Daniel Nenny, founder of semi-wiki, the open forum for semiconductor professionals. Welcome to the Semiconductor Insiders podcast series. My guest today is Ben Packman, Chief Strategy Officer of PQ Shield. Ben leads global expansion through sales and partner growth across multiple vertical markets, alongside taking a lead role in briefing both government and supply chain. on the quantum threat. He has over 30 years of experience in technology, health, media, and telecoms,
Starting point is 00:00:36 as well as advising multiple startups in the UK tech space. Welcome to the podcast, Ben. Thank you for having me. Pleasure to be here. So, Ben, first question I usually ask is, what brought you to your current position? What brought you to PQ Shield? Yeah, so I was working with a range of different UK tech startups,
Starting point is 00:00:56 and I was introduced to our founder, Ali, by some investors on day two of the business, i.e. the day after he spun it out of the Oxford University. And Ali and I hit it off immediately. And I worked with Ali as a consultant for a short period of time until we raised our first fundraising. And then I joined full time. So it was about a good connection between the founder, Ali, and myself,
Starting point is 00:01:22 and a deep fascination with the topic area. Great. So it's been one year. since NIST release of PQC standards, how has the semiconductor industry responded? Good question. I think I would summarize it by saying positively, but with caution. I think, as we all know, the semiconductor process is a multi-year. They're often multi-year programs. And there are some things holding back the semiconductor space a little bit, you know, flow down of the NIST standards into other used standards like ISO, ASIL, you know, all of those other
Starting point is 00:02:03 supporting standardization programs is kind of holding them back or has quite they have questions about it if you like. I think some regional factors also apply. We're talking to people in Japan, for example, there is a body called Cryptrack in Japan. They don't yet list the PQC algorithms on their approved list and whilst that's somewhat an official list it is referred to by pretty much all engineers in the space in Japan and therefore it's important that that happens and I'm pleased to say it's changing soon but also the question around whether we're using pure post quantum cryptography or hybrid PTC and classical cryptography and the differing views on that between Europe and the US and others. That's also causing some confusion or making the design space
Starting point is 00:02:56 more complicated, I would say. There's also a little bit of supply chain chicken and egg. I think a lot of people use the NIST standards as a starting gun. And therefore, the supply chain is not necessarily all happened at the same time. So end customers aren't necessarily banging the table for PQC with the semiconductor manufacturers because they're still working out their plans and what it means to them. And so that will sort itself out over the coming six, 12 months or so, because it's moving quite quickly. So in short, that the NIST stands where it's a major milestone, but every other part of that supply chain and the industry needs to keep moving at the same time. Right. Well, with the industry aligning around NIST's proposed 2035 migration timeline,
Starting point is 00:03:46 you know, how are vendors positioning themselves in this long? term transition. Again, I think that changes by the vertical that they're working in. So in the automotive space, for example, a number of the semiconductors that focus heavily on those areas are deep into planning cycles, but those planning cycles are not going to see the light of day until perhaps 2030 onwards. And so they're recognizing the timelines, but they're also being cautious just for all the other reasons I gave earlier as to how they do that. And they're very reliant on their customers turning around. So in automotive at the moment, there are not that many OEMs who are turning around and saying,
Starting point is 00:04:29 I must have PQC in my car by X. And therefore, it's a timeline driven by the overall need to adopt rather than a customer driving a requirement through that supply chain. Some others, in perhaps more the ancillary space, not maybe the core systems within those areas are really going to the foreground with PQC, perhaps in their applications, so that they can at least be part of the conversation rather than just being reactive to a customer's needs. And what specific progress have early movers in the semiconductor space made in adopting PQC? and how is that shaping the benchmark for the rest of the ecosystem? The benchmark is an interesting point. I think a handful of vendors, as far as I can see,
Starting point is 00:05:18 are addressing platform security in their next generation chip. And those design processes are growing month on month as people get into those design cycles. So I think that's now becoming a, any design process starting from now on has got PTC included in it. I think when it comes to the current. generation and things that are being shipped today, still in process and ultimately, spec can't be changed because of a supply chain thing that says that's got to be there for three years, five years, whatever it happens to be, that is slightly more tricky because you can't really update the secure boot in a chip right the way down to the very lowest level with
Starting point is 00:06:00 just a software upgrade, for example. So there's a mixed bag when it comes to the devices either in the or the devices that are being shipped right now. And that's very mixed, depending on the vendor you talk to. Right. Well, given that parts of the digital infrastructure like encrypted messaging apps, you know, web browsers and video conferencing platforms are already PQC enabled, what does this mean for semiconductor companies building the foundational hardware? I think people often forget, and it's a good point you're making,
Starting point is 00:06:36 that there are multiple places that PQC might need to be embedded into in any one particular device. So if you took a firewall, for example, there's a platform security layer, i.e. how that device secure boots and how it goes, it's over the air updates, etc. Then there is the primary application layer, which is potentially in an FPGA or something. And that is the thing that needs acceleration, hardware acceleration for the large number of PQC key exchanges or transactions that it's making. And so that is the user-based cryptography that is going to be in that primary application layer.
Starting point is 00:07:18 But there are also then supporting applications that see in that file. So for example, a lot of files have an anti-counterfeiting chip. And that in itself also needs to be updated. So even just looking at that simple example, there are three layers here. Each of them has their own timeline, yeah, and each of them has their own
Starting point is 00:07:36 potential different solution, depending on the timeline they're trying to hear. So all of those applications are just an overlay on top of the core platform. And it's really sums up the complexity of this PTC migration in the fact that so many parts of the supply chain have to move or arrive, if you like, at a point in time where everything is, well, if that device is, they're going to be considered to be quantum safe. So how should PQC readyness factor into the current and future semiconductor procurement or design process, particularly in the terms of compliance? So I think it's pretty clear. There's general acceptance that it's mandatory, right? In certain sectors, you could get to that point where you're just not going to be able to bid or ship your product if you don't meet the compliance of having PQC or the standard that that sits within all that is mandating it.
Starting point is 00:08:32 The compliance landscape, though, currently is still reacting, as I alluded to earlier, but they're coming up with different qualifications. So, for example, if you took the Sub-Resilience Act, which a lot of manufacturers are looking at the moment, it doesn't explicitly mention post-quantum cryptography in any particular place, but it does mention using state-of-the-art cryptography and various methodologies. And so there is some work going on between European Union and other people around signposting that actually that clause within the CRA is directly aligned to post quantum catography. And that is what we consider to be state of the art in this scenario. So it's got to be there is the bottom line. And there's still an emerging view from that compliance landscape as to exactly how that's fit. I don't think anyone has put the GUC through common criteria yet, for example. but there is FIP certification available for PQC already.
Starting point is 00:09:31 So it's a mixed bag, but it's changing rapidly, month or month. You know, as the PQC transition gains momentum, what are the risks and costs facing semiconductor vendors that delay implementation, you know, and what strategic advantages exist for those who move first? The principal risks and costs facing those people at the moment is a still, that element of uncertainty. I've touched on it already. There's not necessarily a clean site when it comes to the regulatory side of things or even the various different standardization bodies. So there's this kind of generally moving direction that's happening. I think that causes concern, right?
Starting point is 00:10:16 So when NIST announced earlier this year that they were considering bringing a second key encapsulation mechanism on called HQC, we've had a lot of people from the telecoms industry say, saying, okay, we're looking at our next generation ASIC and we're going to need to support HQC, but HQC is still two years away from being standardized. That's a tricky situation. And so you might have to make various design decisions that could prove to be a suboptimal going forward. But on the flip side, the OEMs that are then going to subsequently use that semiconductor, they need to be able to prove to the enterprises that are consuming their products, that they are PQC compliant. So there's a tipping point, I guess, along that journey. And I'm seeing that the
Starting point is 00:11:04 early adopters, the ones that are really going out there and talking about PQC and delivering PQC are gaining the confidence of their customers and the enterprise that they're on it. And those that are not talking about it are perhaps dropping back down the pecking order currently. Great. Final question, Ben. How do companies normally engage with PQ shield you know how easy is it for them to get access to your technology we like to think it's pretty easy we've got a pretty comprehensive website that people visit a lot and but principally we find we go to a lot of events so our research team present a lot of the research deep cryptography research
Starting point is 00:11:48 events our commercial team will find us at pretty much every major kind of industry event I think last year we did something like 82 events over the course of the year. So we tried to make us pretty visible. We've also got a good commercial team that have got good contact books and they're out there talking to people all the time. So, yeah, typically that's how people get in touch with PQ Shield. Great discussion, Ben. Thank you for your time. No problem. Thanks very much. That concludes our podcast. Thank you all for listening and have a great day. Thank you.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.