Interview: Securing the Post-Quantum Era

A Conversation with FortifyIQ’s Chief Innovation Officer, Yaacov Belenky

Why is post-quantum cryptography becoming such an urgent topic today?

Because quantum computers will break today’s asymmetric cryptography. Once large-scale quantum machines exist, RSA and ECC, the foundations of secure communications, signatures, and key exchanges, will no longer be safe. That’s why major security agencies, including the NSA (through CNSA 2.0), Germany’s BSI, and France’s ANSSI, already mandate migration. Standard asymmetric cryptography will be deprecated by 2030 and disallowed by 2035. The industry is therefore moving rapidly toward Post-Quantum Cryptography (PQC).

But PQC is supposed to be “quantum-safe.” Why does it still need protection?

That’s a critical question. PQC algorithms like ML-KEM (Kyber) and ML-DSA (Dilithium), now standardized by NIST in FIPS 203 and FIPS 204, are indeed resistant to quantum mathematical attacks. However, their implementations, (the way they are realized in hardware or software), remain highly vulnerable to physical attacks, especially side-channel and fault-injection attacks.
In fact, several masking-based PQC implementations have already been broken in academia, in some cases with just a single power trace. These aren’t theoretical weaknesses; they’re practical and exploitable vulnerabilities. So while PQC solves the mathematical problem of quantum resistance, it introduces new implementation-level risks that must be mitigated.

How urgent is it to address these implementation vulnerabilities?

Extremely urgent. Adversaries are already “harvesting” encrypted data today, intending to decrypt it once quantum computers become powerful enough to break RSA and ECC. The urgency comes from the fact that any data harvested now, remains at risk indefinitely, since quantum computers will eventually be able to decrypt it. Updating your systems in the future cannot retroactively protect information that has already been collected.

That’s why it’s critical to adopt protected post-quantum cryptography (PQC) now; to prevent adversaries from accumulating encrypted data that could later be exposed. Switching to PQC without implementation-level protection is ineffective, since side-channel attacks can still reveal cryptographic secrets and sensitive data.

The urgency is perhaps highest for high-assurance systems and critical infrastructure, including vehicles, satellites, and industrial IoT devices expected to remain operational for a decade or longer. Regulators are moving quickly: NIST, ETSI, and national certification bodies are already working to incorporate side-channel and fault-injection resistance into post-quantum compliance frameworks. Future regulations will likely mandate that PQC implementations meet these physical security requirements, rendering these unprotected devices uncompliant.

What makes FortifyIQ’s approach different from masking-based protections?

We use an algorithmic hardening approach that operates at the mathematical level of the implementation, not just at the masking level. It’s the same family of techniques we’ve validated for our AES cores, which passed AVA.VAN.5 evaluation by a Common Criteria lab. The protection is intrinsic to the design and validated as robust against side-channel and fault-injection attacks. While share-based masking techniques in PQC have some vulnerabilities to side-channel attacks, (particularly during compression and decompression, encoding and decoding, and in some algorithms, hashing), our algorithmic protection is secure across the algorithms, and includes fault injection protections, providing high-assurance certifiability. Additionally, our protections avoid the large overhead typically associated with masking by using algorithmic means rather than added-on countermeasures.

Let’s talk about performance. What’s the impact of these protections?

A: In software, our SCA/FIA‑resistant PQC implementations achieve performance (and therefore power-consumption), code‑size, and RAM usage comparable to highly optimized, unhardened PQC implementations, showing that strong security doesn’t require sacrificing efficiency.

More specifically, in hardware, our IP can either match the performance of standard unhardened PQC cores or, for resource‑constrained devices, maintain an area footprint comparable to conventional implementations. The design is fully soft‑macro IP, integrated exactly like any standard macro, with no special constraints or toolchain requirements.

Benchmark results for each customer’s tailored implementations are available under NDA and consistently demonstrate state-of-the-art efficiency.

You mentioned both hardware and software implementations. How are they deployed?

The FortiPQC suite offers OTA‑deployable software libraries, standalone soft‑macro hardware IP cores, hybrid (classical + PQC) CryptoBoxes, and Caliptra-compatible Roots of Trust, all providing both post‑quantum (PQC) and traditional cryptography (AES, HMAC‑SHA2, RSA, and ECC) and hardened against side‑channel and fault‑injection attacks. All components are designed for easy integration. Each cryptographic algorithm uses a unified API across hardware and software, letting you start with the software library for immediate protection and seamlessly switch to the hardware IP later, without changing your software stack.

The hybrids are particularly important because we’re in a long transition period and deployed devices still require RSA or ECC for compatibility to devices already deployed. Our CryptoBoxes and Roots of Trust provide that dual capability with optimal efficiency, without duplication of logic or power penalties.

What about “Crypto-agility”? Are these implementations updatable?

Yes. Both our software and our asymmetric cryptography, RSA/ECC and PQC in hardware, are designed for secure OTA (Over-The-Air) and FOTA (Firmware-OTA) updates, so that parameter sets, algorithms, and security to emerging threats can be added without redesigning hardware. This “crypto-agility” is essential especially for PQC because quantum computing is a new technology, so standards, parameters, and attacks may change and must be updatable. In addition, new algorithms may be standardized, so the cryptography must be flexible to be able to include them, too. Our quantum-safe cryptography smoothly aligns with all of these needs.

Symmetric cryptography, (AES-256 and HMAC-SHA2-512) is inherently quantum-safe. FortifyIQ implements these primitives in both hardware and software, with built-in resistance to side-channel and fault injection attacks, while achieving performance, power, and area close to those of unhardened implementations.

Beyond FOTA updates, crypto-agility means we can swap in a new algorithm quickly, first in software, with side-channel and fault-injection resistance built in. Then, using the same API, you can migrate the same algorithm to hardware acceleration without changing system integration or losing those security properties.

Can FortifyIQ tailor its hardware and software cryptography IPs to specific customer requirements?

Yes. FortifyIQ works like a security boutique. All our hardware IP, software libraries, and hybrid CryptoBoxes and Roots of Trust can be customized throughout each project, up to tape-out where necessary, to match specific device constraints, performance goals, or certification needs.

We balance each customer’s device’s performance and latency, area, memory, and power-usage to their needs. We also include only the cryptographic blocks they need (AES, HMAC-SHA2, PKA, PQC) or combine them with our software libraries, allowing for seamless switching between hardware and software under a unified architecture (API).

And importantly, every version maintains certifiable protection against side-channel and fault-injection attacks.

What types of customers or systems is this designed for?

The technology is designed for a very wide range of systems, and each deployment is configured specifically for the customer’s device and requirements. We adjust architectural parameters and algorithm variables to meet the constraints of the target platform, whether that means minimizing energy consumption and silicon area or maximizing throughput.

At the low end, this allows us to support ultra-low-power embedded controllers and battery-operated IoT devices, where efficiency is critical. At the other end of the spectrum, we build configurations for high-performance environments such as cloud and data-center accelerators.

In practice, the same technology can therefore be configured for microcontroller-class implementations or multi-gigabit throughput systems, while maintaining strong resistance to side-channel and fault-injection attacks. Our Roots of Trust have the capability to support on-the-fly encryption with full SCA/FIA protection, which is increasingly important in chiplet-based and heterogeneous architectures.

What’s your view on the bigger picture? Where is PQC protection headed?

Post-quantum migration is unavoidable, but secure post-quantum deployment isn’t automatic. Protecting PQC against physical attacks is as fundamental as adopting the algorithms themselves.

Can you summarize FortifyIQ’s overall goal with FortiPQC?

Our goal with FortiPQC, across software, hardware, and hybrid systems, is to make protected post-quantum cryptography intrinsic, certifiable, and practical for every device class. We achieve this by applying algorithmic protections that allow our protected PQC to rival the PPA (Power-Performance-Area) of unprotected implementations, tunable to the most constrained configurations. FortiPQC delivers high-assurance post-quantum cryptography ready for real-world deployment.

What standards and certifications does FortiPQC address?

FortiPQC aligns with FIPS 203, 204, 205, NIST SP 800-208, and ETSI TS 103 619, and is engineered to meet the cryptographic security standards up to FIPS 140-3 Level 4, Common Criteria AVA.VAN.5, and SESIP Level 5. Every implementation, hardware or software, is designed for certifiability from the start.