SemiWiki.com - Podcast EP304: PQC Standards One Year On: The Semiconductor Industry’s Next Move
Episode Date: August 22, 2025Dan is joined by Ben Packman, Chief Strategy Officer of PQShield. Ben leads global expansion through sales and partner growth across multiple vertical markets, alongside taking a lead role in briefing... both government and the supply chain on the quantum threat. He has 30 years of experience in technology, health, media, and telecom,… Read More
Transcript
Discussion (0)
Hello, my name is Daniel Nenny, founder of semi-wiki, the open forum for semiconductor professionals.
Welcome to the Semiconductor Insiders podcast series.
My guest today is Ben Packman, Chief Strategy Officer of PQ Shield.
Ben leads global expansion through sales and partner growth across multiple vertical markets,
alongside taking a lead role in briefing both government and supply chain.
on the quantum threat.
He has over 30 years of experience in technology,
health, media, and telecoms,
as well as advising multiple startups in the UK tech space.
Welcome to the podcast, Ben.
Thank you for having me.
Pleasure to be here.
So, Ben, first question I usually ask is,
what brought you to your current position?
What brought you to PQ Shield?
Yeah, so I was working with a range of different UK tech startups,
and I was introduced to our founder, Ali,
by some investors on day two of the business,
i.e. the day after he spun it out of the Oxford University.
And Ali and I hit it off immediately.
And I worked with Ali as a consultant for a short period of time
until we raised our first fundraising.
And then I joined full time.
So it was about a good connection between the founder, Ali, and myself,
and a deep fascination with the topic area.
Great.
So it's been one year.
since NIST release of PQC standards, how has the semiconductor industry responded?
Good question. I think I would summarize it by saying positively, but with caution. I think,
as we all know, the semiconductor process is a multi-year. They're often multi-year programs.
And there are some things holding back the semiconductor space a little bit, you know, flow
down of the NIST standards into other used standards like ISO, ASIL, you know, all of those other
supporting standardization programs is kind of holding them back or has quite they have questions about
it if you like. I think some regional factors also apply. We're talking to people in Japan,
for example, there is a body called Cryptrack in Japan. They don't yet list the PQC algorithms
on their approved list and whilst that's somewhat an official list it is referred to by pretty
much all engineers in the space in Japan and therefore it's important that that happens and I'm
pleased to say it's changing soon but also the question around whether we're using pure
post quantum cryptography or hybrid PTC and classical cryptography and the differing views on that
between Europe and the US and others. That's also causing some confusion or making the design space
more complicated, I would say. There's also a little bit of supply chain chicken and egg. I think a lot of
people use the NIST standards as a starting gun. And therefore, the supply chain is not necessarily
all happened at the same time. So end customers aren't necessarily banging the table for PQC with the
semiconductor manufacturers because they're still working out their plans and what it means to them.
And so that will sort itself out over the coming six, 12 months or so, because it's moving
quite quickly. So in short, that the NIST stands where it's a major milestone, but every other
part of that supply chain and the industry needs to keep moving at the same time.
Right. Well, with the industry aligning around NIST's proposed 2035 migration timeline,
you know, how are vendors positioning themselves in this long?
term transition. Again, I think that changes by the vertical that they're working in. So in the
automotive space, for example, a number of the semiconductors that focus heavily on those areas are
deep into planning cycles, but those planning cycles are not going to see the light of day until
perhaps 2030 onwards. And so they're recognizing the timelines, but they're also being cautious
just for all the other reasons I gave earlier as to how they do that.
And they're very reliant on their customers turning around.
So in automotive at the moment, there are not that many OEMs who are turning around and saying,
I must have PQC in my car by X.
And therefore, it's a timeline driven by the overall need to adopt rather than a customer
driving a requirement through that supply chain.
Some others, in perhaps more the ancillary space, not maybe the core systems within those areas are really going to the foreground with PQC, perhaps in their applications, so that they can at least be part of the conversation rather than just being reactive to a customer's needs.
And what specific progress have early movers in the semiconductor space made in adopting PQC?
and how is that shaping the benchmark for the rest of the ecosystem?
The benchmark is an interesting point.
I think a handful of vendors, as far as I can see,
are addressing platform security in their next generation chip.
And those design processes are growing month on month as people get into those design cycles.
So I think that's now becoming a, any design process starting from now on has got PTC included in it.
I think when it comes to the current.
generation and things that are being shipped today, still in process and ultimately,
spec can't be changed because of a supply chain thing that says that's got to be there for three
years, five years, whatever it happens to be, that is slightly more tricky because you can't
really update the secure boot in a chip right the way down to the very lowest level with
just a software upgrade, for example. So there's a mixed bag when it comes to the devices either in the
or the devices that are being shipped right now.
And that's very mixed, depending on the vendor you talk to.
Right.
Well, given that parts of the digital infrastructure like encrypted messaging apps,
you know, web browsers and video conferencing platforms are already PQC enabled,
what does this mean for semiconductor companies building the foundational hardware?
I think people often forget, and it's a good point you're making,
that there are multiple places that PQC might need to be embedded into in any one particular device.
So if you took a firewall, for example, there's a platform security layer,
i.e. how that device secure boots and how it goes, it's over the air updates, etc.
Then there is the primary application layer, which is potentially in an FPGA or something.
And that is the thing that needs acceleration, hardware acceleration for the large number
of PQC key exchanges or transactions that it's making.
And so that is the user-based cryptography
that is going to be in that primary application layer.
But there are also then supporting applications
that see in that file.
So for example, a lot of files have an anti-counterfeiting chip.
And that in itself also needs to be updated.
So even just looking at that simple example,
there are three layers here.
Each of them has their own timeline, yeah,
and each of them has their own
potential different solution, depending on the timeline they're trying to hear.
So all of those applications are just an overlay on top of the core platform.
And it's really sums up the complexity of this PTC migration in the fact that so many
parts of the supply chain have to move or arrive, if you like, at a point in time where
everything is, well, if that device is, they're going to be considered to be quantum safe.
So how should PQC readyness factor into the current and future semiconductor procurement or design process, particularly in the terms of compliance?
So I think it's pretty clear. There's general acceptance that it's mandatory, right?
In certain sectors, you could get to that point where you're just not going to be able to bid or ship your product if you don't meet the compliance of having PQC or the standard that that sits within all that is mandating it.
The compliance landscape, though, currently is still reacting, as I alluded to earlier, but they're coming up with different qualifications.
So, for example, if you took the Sub-Resilience Act, which a lot of manufacturers are looking at the moment, it doesn't explicitly mention post-quantum cryptography in any particular place, but it does mention using state-of-the-art cryptography and various methodologies.
And so there is some work going on between European Union and other people around signposting that actually that clause within the CRA is directly aligned to post quantum catography.
And that is what we consider to be state of the art in this scenario.
So it's got to be there is the bottom line.
And there's still an emerging view from that compliance landscape as to exactly how that's fit.
I don't think anyone has put the GUC through common criteria yet, for example.
but there is FIP certification available for PQC already.
So it's a mixed bag, but it's changing rapidly, month or month.
You know, as the PQC transition gains momentum,
what are the risks and costs facing semiconductor vendors that delay implementation,
you know, and what strategic advantages exist for those who move first?
The principal risks and costs facing those people at the moment is a still,
that element of uncertainty. I've touched on it already. There's not necessarily a clean site when it
comes to the regulatory side of things or even the various different standardization bodies. So there's
this kind of generally moving direction that's happening. I think that causes concern, right?
So when NIST announced earlier this year that they were considering bringing a second key
encapsulation mechanism on called HQC, we've had a lot of people from the telecoms industry say,
saying, okay, we're looking at our next generation ASIC and we're going to need to support HQC,
but HQC is still two years away from being standardized. That's a tricky situation. And so you
might have to make various design decisions that could prove to be a suboptimal going forward. But
on the flip side, the OEMs that are then going to subsequently use that semiconductor,
they need to be able to prove to the enterprises that are consuming their products, that they are
PQC compliant. So there's a tipping point, I guess, along that journey. And I'm seeing that the
early adopters, the ones that are really going out there and talking about PQC and delivering PQC
are gaining the confidence of their customers and the enterprise that they're on it. And those that
are not talking about it are perhaps dropping back down the pecking order currently.
Great. Final question, Ben. How do companies normally
engage with PQ shield you know how easy is it for them to get access to your
technology we like to think it's pretty easy we've got a pretty comprehensive
website that people visit a lot and but principally we find we go to a lot of events
so our research team present a lot of the research deep cryptography research
events our commercial team will find us at pretty much every
major kind of industry event I think last year we did something like 82 events over the
course of the year. So we tried to make us pretty visible. We've also got a good commercial
team that have got good contact books and they're out there talking to people all the time.
So, yeah, typically that's how people get in touch with PQ Shield. Great discussion, Ben.
Thank you for your time. No problem. Thanks very much.
That concludes our podcast. Thank you all for listening and have a great day.
Thank you.