Roy Stephan Deep Dive with Quantinuum heading into SOF Week 2025
Roy Stephan
Quantinuum
Quantinuum Focus
Roy Stephan
Our focus with Quantum Origin is using the power of quantum computers to improve security. We’re addressing the long-standing issue of randomness in classical computing. Classical computers are built to be predictable and repeatable, which is not ideal for creating secure, private keys. You don’t want something guessable or repeatable when it comes to encryption.
Â
Quantum computers let us generate proven randomness, which we can then bring into classical machines to boost their security. This matters for all security, past, present, and future, because better randomness leads to stronger encryption keys and algorithms. This is especially important now, because as quantum computers become more capable, they are also opening new types of attacks. So, while we’re using quantum computers to help improve security, other malicious actors may be using those same quantum computers to tear down security.
Â
We’re seeing the same thing happening with artificial intelligence. There are a lot of threat vectors we expect to emerge from AI, especially around very complex types of attacks that might be beyond what the average human can even comprehend.
Â
This is particularly true in areas like mathematics, where AI might be able to launch attacks no human ever anticipated. So, it’s an interesting moment in time from a security perspective. Our quantum computers have reached a point where they can really help strengthen security. The threats are evolving fast, so people are looking for higher levels of protection.
Â
So, what does that mean for everyday use? Well, people are using our proven quantum randomness by installing our software and integrating it with their encryption systems to harden their keys, whether that’s classical encryption or post-quantum cryptography algorithms. That way, they’re better protected against whatever new kinds of attacks might come from these emerging technologies.
Some of these technologies are so advanced, it’s difficult to conceptualize. Have we seen anything like this before?
Roy Stephan:
The Enigma machine, for those of you that don’t know, was an encryption device that the Germans used in World War II. It was sort of like a typewriter where you would type your message in plain text that you could read, usually in German because they were German speakers, and then the typewriter would encrypt that message using a series of algorithms and some special wheels that they had. And then on the other side of the communication, whoever received that message would type it into their Enigma machine, all encrypted, and it would print out something in plain text that they could read as well.
Â
The Allied forces were able to break the Enigma encryption, and there’s a number of different contributing factors. Some of that was the level of randomness, some of that was being able to capture an actual Enigma machine so they could leverage their understanding of the codes, and all this teamed together to be able to read those encrypted messages the Germans were sending. And of course, this is important in war because you can predict where the submarine is going to surface, or where the airplanes are going to drop bombs, if you can see the communications of the opposing forces. It took a long time for the Germans to figure out that their communications were compromised.
Â
We really focus on better randomness with our product, Quantum Origin. That’s an interesting component of the Enigma story that with better randomness, it would have been more difficult for the Allied forces to break the Enigma. But there’s a bigger picture here. When your communications are broken, you don’t always know that they’re broken. So, I think bigger than the specifics of the randomness in this case is the fact that it’s difficult to know when your communications are hijacked.
Â
It is important that you’re constantly upgrading your level of security. It’s important that you’re reaching for the strongest level of security that’s available on the market. This is what we talk to our customers about. Rather than focusing on a successful attack 10 years ago or 50 years ago, we’re looking at what is the attack happening behind the scenes right now, that they’re unaware of, and how they can improve their security so they can be protected against future attacks.
Â
When your communications are attacked and they’re able to be decrypted in transit, it’s very difficult to stop or discover because it doesn’t show up in your log files. We’re used to cyber-attacks being someone is trying to enter our network, and we may have mitigating factors such as a firewall stopping them from getting in. We may have things that are tracking the logs and creating alerts and warnings that somebody has gotten into the environment or is trying to break in. All of these layers of protection that we’ve built around our trusted enclaves are not present when we’re doing communications.
Â
Communication, almost by definition, travels outside of that protective enclave and through the wires, through the air, or up through space and we have just the encryption to rely on to secure that message. We have no feedback if that encryption has been broken or that message is being captured, because again, there’s no log files and there’s no mitigating protection like a firewall that’s protecting that message when it’s in the outside world.
Â
I think the Enigma lesson shows this very clearly, because the German encryption was hacked for a long period of time where the Allies were able to thwart a lot of their attacks before the Germans eventually figured out that the Allies must be reading their communications to predict their movements.
Â
And that’s really the biggest challenge that anybody in the cryptography space has is knowing whether or not your encryptions have been hijacked and broken, and making sure you have the strongest level of encryption that’s available to you to be able to protect you against as many potential attacks, known or unknown, as you might be facing out in the wild.
SOFtact is very focused on finding companies that are nimble, forward looking, and tackling what's in front of them while also anticipating what is over the horizon. That mindset is crucial to our customers and to the warfighter in general, especially when talking about securing communications that are outside of secure environments. What you are sharing here is monumental.
Roy Stephan:
I’ve been doing this for a long time. For 30 years I’ve been working in security and computers. And there’s been a lot of advances over the last few decades in security, all different types of security, even in algorithms and the strength of keys. But what’s very rare is that physics changes. It almost never happens that the physics you’re dealing with changes. The concept of gravity doesn’t change whether you were firing missiles today or shooting crossbows in the Roman era. Gravity is still gravity. What we’re dealing with in quantum computing is the fundamental difference in the underlying physics and that is what Quantinuum is building on top of in terms of bringing new security.
Â
There is so much that quantum computers are doing today that can help improve networks, can help improve security, can help improve efficiency of computation, how long it takes to run a computation, how much power is used in identifying an answer. With Quantum Origin, being able to take the power of that quantum computer and then package it up as software and deliver it to a laptop in the field or deliver it to an IoT device that’s been deployed, some sort of sensor out there in the environment, is what is so unique about the solution.
Â
Not only is the quantum computer leveraging these new physics capabilities that were not possible with classical computers and have never been possible before up to this moment in time and also figuring out the way in which we’re able to bring that capability, and bring the power of that machine, to help classical encryption and classical devices. Whether it’s a cell phone, a laptop, or a server somewhere, it doesn’t have to have the quantum element installed and we are still able to create that quantum effect providing a new level of security that just wasn’t possible before.
Is it standard to have a software-based quantum offering?
Roy Stephan:
Anytime you’re dealing with quantum effects, there’s always hardware somewhere in the mix but what’s unique about Quantum Origin is we’re able to take quantum seed, as we call it, that’s created inside the quantum computer. Quantum Origin leverages the hardware of the quantum computer to create that seed, hence the name, because it originates inside the quantum computer. But the power of the system is being able to democratize that improvement in security and to use information -theoretical mathematics- to bring the proven nature of that quantum seed down into classical environments.
Â
If you’re running a Linux machine, you could install it with an RPM which is a very simple installer. You could install it on your Windows on your laptop. And again, the difficulty is being able to take it from that quantum hardware environment and pull it into software and deliver it in an effective manner to classical environments.
Â
Other people have tried this in different ways. Usually, it’s some sort of chip which people have to install into their device or into their machine, and installing new chips can be price prohibitive. If you’re trying to get them into IoT devices, trying to get them into cell phones, there may be no way to effectively do it. But even if you’re installing them into laptops or servers, there’s a logistics nightmare in terms of trying to get a new chip into the machines. And then how do you upgrade machines that are already deployed and in the field?
Â
And then you’ve got challenges to worry about with supply chain management. Where was that chip manufactured? If it wasn’t manufactured in America, does that chip have some sort of malicious code embedded in it? And how do we maintain that security of the supply chain along with those chips? And all these questions are a lot easier when you’re dealing with the software layer that’s integrating with commodity hardware. Just your average operating system and your average chipset that you’re buying off the shelf from a known manufacturer or some common piece of hardware.
Â
Any system that you’ve deployed using classic technologies, whether it’s on a cell phone or an IoT device or it’s a laptop or a server, could be any level of the network if it’s classically deployed, it’s pulling randomness from the operating system or from some classical component of that existing environment. There are a number of challenges with that and historically we’ve had to accept the risk that those challenges bring because there was no other option.
Â
With Quantum Origin, we bring the power of the quantum computer and proven randomness down to these devices, and it becomes a relatively simple install. It’s a very small library. It’s entirely software.
Â
There’s a one-time installation, and then for the lifetime of that device it never needs to be updated. It never needs to receive any kind of new communications from the network or new updates to the software. It’s a simple to deploy, standalone, implementation that can be deployed into the field with NIST validation, so you can check your compliance boxes as well.
Â
And the objective for us is to make it as easy as possible to integrate. We have six different adapters that we’ve developed to be able to plug this randomness in at different levels—into the operating system or into a specific application, to be able to include it as a library when you’re deploying applications to the field, to be able to update an entire device that’s in the field, such as the operating system level.
Â
And all of these different adapters provide our customers and our vendor partners with a lot of flexibility in terms of how they can integrate it using existing open protocols to speed up the integration. It helps make the compliance process easy to manage, improve the security -even in devices that have already been deployed to the field- because as software, you can retroactively update existing devices in the field with a patch update.
What about size, weight, and power (SWAP)?
Roy Stephan:
These are important requirements for anywhere where there are weight and space concerns, like satellites, deployable systems, hand-carried types of systems or devices that attach to your person.
Â
All of these types of devices are concerned with how much weight is being added, how much additional power a new capability is drawing from the environment. Do we need to add more batteries? It’s all sort of related to weight, really, when you get back to it.
Â
And the fact that we’re software-based again is a massive advantage here for anybody that has SWAP concerns. Being able to do what we do with software helps them improve their security without adding to their size and their weight, their power that they’re already carrying or deploying.
What is Harvest Now, Decrypt Later?
Roy Stephan:
When we’re talking about post-quantum cryptography and some of the quantum threats that are out there, there’s a number of algorithms that a quantum computer can implement which classical computers cannot, that put classical networking at risk.
Â
We’re looking at a time horizon of the next five years, according to most industry experts, where quantum computers are going to be able to decrypt RSA security or elliptical curve security and it’s really focused on public key cryptography. NIST has just released a set of new algorithms which everybody should be implementing to protect against the quantum threat and at upgrading your key strength. Quantum Origin provides increased key strength, and the NIST algorithms provide increased algorithmic strength to help protect against some of these existing quantum attacks. Together, we improve your overall security to help protect against future attacks.
Â
But it’s not just future quantum attacks that we’re worried about, we are also seeing in the marketplace something called harvest now, decrypt later. This type of attack is from large organizations, nation-states, who recognize that in the next five years or so they’re going to be able to decrypt the average communications. So, they’re starting to store those communications now and looking at anybody that’s communicating sensitive information that they think is still going to be sensitive, secure, or classified five years from now.
Â
When you think about the lifetime of your sensitive data, five years is not that long when you’re looking at the military, when you’re looking at government environments.
Â
Think of an organization collecting everything you send now and being able to read it in five years. What kind of information would they get if they had all your information from five years ago? What kind of information would they have today that could potentially put sources and methods at risk that you’re dealing with right now?
Â
One of the challenges is that as they’re collecting this information, they start to run other types of attacks. Because if you’re a nation-state and you’re starting to collect and harvest large, vast amounts of sensitive information and you’re just waiting until the day when quantum computers are fast enough to be able to read it, and you know that day is coming real soon. And you look at those large databases of information that are growing right now and you say, maybe there’s some classical attacks that I can run on this large bank of data. One of the primary classical attacks they’re running are key attacks and these are not necessarily new, but if there was something wrong, something misconfigured, or for some reason people were using poor randomness in their encryption processes, they could be vulnerable to some of these attacks.
Â
So, when you look at the harvest now, decrypt later, there are challenges today from classical attacks just because they’re all being harvested in one place and that’s something that Quantum Origin helps protect against and can start protecting you against today. When they hack the cryptography, they can’t just read your messages. They can also pretend to be you and send messages as you or authenticate as you to your systems.
Â
This is the type of thing where five years ago people said it’s twenty years away, if ever. And just because technology continues to move forward faster and faster, now most people agree it will be in the next five years, but it could be even sooner as we see different technological advances. So, people are really paying attention.
Â
NIST released the new algorithms just in the fall, and that has been a major point in time for a lot of customers. But what we’re seeing from the average organization, who you know, an average hospital may not have a lot of cryptographers on staff able to delve directly into this threat. What they’re doing is requiring their OEM vendors to have these protections installed.
Â
We’re seeing a lot of interest from the networking community, from things like firewalls, other security and encryption devices, where these are the trusted mechanisms for communication from those end users. And those OEM manufacturers need to earn that trust, right? So, they’re the ones who are looking at this threat first, and they’re the ones that are instructing their customers about the threat. And that’s the first place the customers turn to the people they rely on for security today, and they say, what’s your roadmap for protecting us from this threat? And when it’s five years out, that’s important, because now you’re getting inside the tech refresh cycle, right? The things you buy today are probably still going to be attached to the network five years from now.
Â
You want to make sure that not only are you upgrading the security to the best you can now, but it may not just be a one-time process. You want to make sure that you’ve got a process for updating that encryption level if you ever need to in the future.
