Konstantinos Karagiannis, the leader of quantum computing services at Protiviti. We discuss the dual aspects of quantum computing: its promise in transformative use cases and its threats in post-quantum cryptography. Konstantinos explains why organizations need to act now to secure their data against future quantum threats, emphasizing the importance of cryptographic agility and hybrid solutions. He highlights how different industries, particularly financial services and government, are leading the way in adopting post-quantum standards. We also explore the challenges of quantum key distribution, the evolving vendor landscape, how organizations can prioritize their post-quantum journeys. , and much more.
Transcript
Yuval Boger: Hello, Konstantinos, thank you for joining me today.
Konstantinos Karagiannis: Hey, thanks for having me back. Yeah, it’s been a long time. And of course, I’ve seen you at conferences and things, but it’s nice to be back on your show.
Yuval: It’s good to have you. So who are you and what do you do?
Konstantinos: Yeah, my name is Konstantinos Karagiannis. I run quantum computing services at Protiviti. So basically, my job is a little binary for someone involved with qubits. It’s one half is helping customers use quantum computers to do amazing things, use cases. And the other half is helping customers with their journey to post-quantum cryptography. You know, so it’s sort of like the promise and the threat. I deal with both halves.
Yuval: Are both halves equal or do you see one more than the other?
Konstantinos: Oh, yeah, that’s a good question. I shouldn’t say half, probably, because, yeah, use case wise, I’d say that’s less than half. So it’s half my attention. But yeah, project wise, I’d say more people are worried about the quantum threat right now. We had a couple of interesting years or a year and a half, let’s say, where AI became this crusher of all other emerging technologies. It was like, yeah, we’re just going to do AI. But I think AI now is becoming more of a present technology rather than an emerging one. You know, it’s hard. You’d be hard pressed to find a company not using it somehow in production one way or another. So I think now the emerging money, those buckets, as companies like to say, should be flowing towards quantum again, especially with recent news, getting everyone all excited again.
Yuval: And for those that are not familiar with Protiviti, could you say a few words about the company?
Konstantinos: Sure, absolutely. If you go back far enough, about 20 years, I’m sure your listeners have heard of the Big Four. It used to be the Big Five. And one of those Big Five kind of had an accounting issue that involved a certain company with a letter E in its name. And they ended up kind of going away. And all the folks unrelated to that and were involved with technology and all that good stuff created Protiviti. So we’re sort of like a Big Four point something out there. We do all the same sorts of stuff. We have a huge security practice, huge in AI and IoT and cloud. And of course, I get to run one piece of it, which is quantum.
Yuval: So I’m a CIO or CSO, Chief Security Officer of a Fortune 500 company, and I come to you. So first, by the way, who does come to you? Is it the CIO or CSO or CTO? What do you see more often than not?
Konstantinos: Yeah, it depends. So we have a huge base of like Fortune 500 companies, let’s say, that are our customers and some other like smaller ones too. And a lot of times it just becomes whoever’s involved in security in that company, they’re already doing something else with us. And then we just go in and kind of say, hey, talk to this guy because like security is now evolving into a new frontier. So, yeah, it could be a CSO. It often is. But sometimes it’s someone who’s a little more forward leaning and thought like someone who’s a little more innovative and they seek out this on their own and they bring me to their, let’s say, CSO, whoever they report to, which is kind of exciting because then they’re the one that has this on their mind. And you know how it is in computer security. I’m sure a lot of people are very focused on it right now. They’re thinking about like, oh, how do I get to the next six months or whatever it is? And quantum is perceived by them as 10, 20 years away. And of course, for reasons we can get into, that couldn’t be further from the truth. This is a problem you have to consider now.
Yuval: Let’s role play this for a second. So I’m a CSO and I heard about this quantum threat. I read about it in the Wall Street Journal and I hear really good things about your company and about you. So I’m glad to see you. I’m glad to meet you. What do you ask me first? Where do I start?
Konstantinos: Okay, so first I would talk to you about how you view cryptography in general, probably, you know, like your thoughts on cryptography and why do we have cryptography? You know, we have cryptography of data in motion and we have cryptography of data at rest, if you want to simplify it. And we do this because these are secrets that need to be preserved for some period of time, always. So data in motion, sometimes it could be of value for a very, very short period of time. If I send a message that says I’m meeting with some secret spy at two o’clock tomorrow, and in a few weeks you decrypt it, oh well, pretty much useless information, you know. If I do a credit card transaction and in five years you decrypt it, pretty much useless information. If I send the secret formula to Coca-Cola and you decrypt it in seven years, very useful information, you know. So secrets have a shelf life. So they have to understand that that shelf life needs to be preserved.
And if cryptography is threatened in the future, we have a host of attacks that can be enacted today. So information that’s moving today can be harvested and decrypted later. So what we call a harvest now, decrypt later attack. So that kind of sets the stage for this not worrying so much about the fact that quantum computers aren’t here now, but what are you doing because of what we call Mosca’s theorem. It’s the shelf life of a secret plus the amount of time it takes your organization to migrate. That’s a pretty big number usually. And that means it’s already too late for some secrets. So we have to get started.
So that’s one initial way I’d ease into it, just talking about the importance of secrets and how cryptography can be threatened in the future. Then we can delve into the more regulatory aspects of it. Anytime you have regulators, they want to know what you’re doing in any space. There’s things like PCI, of course, you have to follow the rules for PCI, you have to follow the rules for whatever industry you’re in. And those rules usually contain some kind of cryptographic information around them.
And now that NIST has published new standards, what does that mean? What are those regulatory bodies going to require you to do?
Yuval: If I think about the regulator, sometimes I as a CISO would put in a new encryption scheme or a new protection scheme ahead of the regulator because this is important data for me and the fact that I need to have it by 2035 or something doesn’t matter. I want to protect my secrets today. But what industries have regulators provided deadlines that are the soonest? What industries do you focus on because, oh my God, it’s got to be by 2028 or something?
Konstantinos: Yeah, sadly, there’s no deadline to implement post-quantum cryptography technically yet, but in August of 2024, NIST published the new standards. And the White House two years before that had said that once these standards come out, federal agencies have to really start rolling to simplify things. Then in November 2024, NIST also published its timeline for deprecation. So that’s pretty interesting. The timeline for deprecation says that by 2030, all vulnerable ciphers are deprecated. By 2035, they’re disallowed. So in theory, anyone who takes that guidance is going to be affected. So every single industry, realistically, by the time we get closer to that, if you do a pen test or an audit or whatever, they’re going to say, oh, you have a deprecated cipher. That’s this level threat. Oh, you have a disallowed cipher. That’s this level threat. And this is nothing new. Whether it has to do with quantum or not, this is something we’ve dealt with for years. So what I like to point out to those companies is that whether or not you believe in a quantum computer achieving the power to crack cryptography is completely irrelevant. Once something’s deprecated or disallowed, you’re not going to be able to have it. You’re just not going to, for whatever reason, you know? So that’s one thing to keep in mind. But for now, to answer the other part of your question, I do find that the financial industries are starting to show the most interest in this outside of the government, which is already required to begin doing things about this. And that’s probably not by accident. A, obviously they’re the most worried about their data, literally where the money is. And B, a few key financial players were pulled in in the early days of this to work hand in hand with the government and be ready. And everyone wants to do business with the government. You can’t just be like, well, we’re not going to do business with the United States government. Good luck with that one. Everyone has to be ready to do that. So I do see everyone sort of falling in line anyway as a result.
Yuval: You brought up the point about quantum computers. So you’re absolutely right. If I need to write programs on a quantum computer, I need to understand what they are and how to do it and how is it different than classical computers. But if now there’s a new encryption standard, why do I care if it’s quantum or not? What is the difference between that and government saying, oh, it’s got to be RSA 8192, hypothetically?
Konstantinos: Okay. Yeah, so one thing that people think when they hear post-quantum cryptography is that it’s a quantum computer doing it. And it’s actually not. There’s nothing quantum about post-quantum cryptography. It’s just that it is resistant to quantum computing as far as we know. So there was a time when we thought that factoring large numbers would be the be all end all, you know? And Peter Shor showed in 1994 that that is not exactly the case. And that there is a path forward to factoring numbers with a quantum computer. For other types of cryptography, you can get into like Grover’s algorithm for searching keys and things like that, too. So how quantum post-quantum cryptography works is you pick a different paradigm and you make that your new way going forward. So the ones that were selected now that are going to be popular are based on lattices.
And lattice-based cryptography is, if you think about RSA as two large numbers multiplied to make a bigger one and trying to figure out what those numbers are, lattice-based cryptography is another way to get two large numbers. I mean, that’s a really, really easy way to simplify it. And to get those numbers, you use them as vectors and matrices that describe lattices, which are a hyperdimensional field of dots, to simplify it. Your listeners could imagine, I’m sure, like a bullet journal, just dots on a page. That would be a two-dimensional lattice. A three-dimensional lattice would look like a glass box with marbles floating in it, maybe, but equal distance apart with a repeating pattern. And lattice-based cryptography can use higher dimensions, which it’s really hard for the human mind to imagine, but they’re just stacking more numbers on top of the matrix or vector. So it turns out that reversing what happens in lattice-based cryptography is difficult or probably impossible for a quantum computer. So that’s why we’re going to move forward and replace how we get those numbers, just to really simplify it for people trying to listen.
Yuval: Is it indeed a replacement, or would I take a PQC standard or PQC implementation and layer it on top of an existing one, just in case, you know, aside from the protection from the previous?
Konstantinos: That’s a great point. That’s actually what I wish would happen. We do have hybrid solutions. And in fact, for a couple of years now, there have been hybrid solutions in production. Like AWS has had some hybrid post-quantum protections in place where they would take ECDSA and wrap it in a post-quantum finalist. The hope there is that if there is a flaw found in post-quantum cryptography, you’re no worse off than you were, because once you get past that flawed outer shell, you still got something tried and true underneath for the time being. I do love that approach, especially because the performance hits have been minimized greatly. People underestimate how great hardware is now. Hardware is getting faster, network connections are getting faster. So a few millisecond latency increase doesn’t really impact anybody anymore. Long gone are the days where you’re worried about quite that level of performance hit. You just throw more hardware at it. Hell, if we do generative AI, we’re used to throwing more hardware at a problem. So yeah, that’s a good point.
Now, why some people don’t want to do that is the threat of a double migration. They view it as we’re going to migrate to hybrid, then we’re going to have to migrate to just pure PQC. And that raises a whole new can of worms. I don’t know if they should think of it that way. And this is a process that’s temporary. Like right now we’re migrating to PQC. Everyone’s migrating to PQC. It’s become this new unique thing where it’s like a combination of Y2K, because we know it’s coming, and a zero day because we don’t know when it’s coming. So it’s this combination.
One day, if you’re a brand new company that just appeared on planet earth, you’re going to be PQC ready from day one. You’re going to buy servers, PQC. Network equipment, PQC. Go to a cloud provider, PQC. It’s all just going to be PQC. So you could think of this as like the early days of Wi-Fi, when everyone was like, you can’t use 802.11b, you have to use 802.11g or whatever for security reasons. Now you don’t hear that anymore. It’s just the standard. So yeah, for this time period where we’re all in migration, I agree with you that hybrid would make the most sense, the least likely to put us in any kind of peril. So yeah, I like that approach.
Yuval: Does anyone care about QKD, quantum key distribution these days?
Konstantinos: That’s a good question. I used to be involved with that. I used to work at British Telecom years ago, and we were kind of well known for doing the first sending of QKD over the over dirty fibers with phone calls and other things going on. So QKD, it’s got a huge flaw. It’s physics based. And normally, you know, we all love physics, but when something’s physics based, in this case, it means it’s tied to a physical medium too. So QKD requires a fiber, and it requires some kind of repeater system to extract the data and send it off again and because of the no cloning principle it’s not very easy to pull that off. So QKD is point to point. So if you want to have two buildings of a bank or a bank talking to a financial or federal agency or two government agencies talking to each other, that’s great. You know, QKD is fine. If you want to have some kind of specially created network to connect quantum computers together one day, those principles can be applied for physics-based. But I don’t anticipate anyone’s going to want to hold their cell phone up to the sky and try and catch photons off of a satellite to get a protected message. That would get kind of tricky, even though it’s possible in theory, it would be pretty difficult to pull that off. That’s the hugest limitation of QKD. But you will see an interest in physics based security, I believe, as this concept of a quantum internet evolves. What does that even mean? If you ask three people what a quantum internet is, you’ll probably get 19 answers. Like I don’t think you’re going to get a very defined one.
Yuval: How about vendors? When you as a consulting firm go lead an audit or consulting project for one of your large customers, ultimately, oh, we recommend you buy this and this and this or implement this kind of thing. Do you see completely new vendors for PQC or is it the same trusted old security vendors that are just providing another option?
Konstantinos: I’ve seen both for sure. There’re a couple of aspects of PQC that help consulting and implementation. One of them is this idea of technical inventory. So I’ve seen brand new companies come up with software that does technical inventory and helps you manage it in like a dashboard. And I’ve seen older companies start to implement aspects of it. So there’re two sides working together there. I anticipate more tried and true network security software is going to start implementing it. Because it’s a big ask sometimes. To introduce an entire new dashboard. So I have a feeling that those new companies are going to either completely implement, like support their end listeners, support their dashboard as like a plugin, whatever. I’m seeing both.
And the same goes for PQC solutions. I’m seeing vendors of key management software and hardware, all that kind of stuff. They’re starting to add PQC or promise the path forward. And at the same time, you’re getting these like what I call out of band solutions that are popping up. They’re like, yes, we’re PQC today. They said they were PQC before NIST even came out because they did stuff like getting a key from a cloud server and then using it with increased entropy to send a message one time or whatever on your network. So it was like this kind of extra heavy Herculean lift that you were doing on your network. But it was technically PQC safe. It’s just not plug and play. It’s buying into a whole entire new structure. So I guess the answer is both, literally to both aspects of it, to inventory and to implementing it.
Yuval: How far are we along? You mentioned that NIST published the standards in October and the White House said something in November. If you think about the Fortune 500 companies, how many of them have started or are well on their way to PQC implementation? Is it 499 or is it 17?
Konstantinos: The standards were announced in August. The time of the deprecation was announced in November. And now that we’re in 2025, I think I’m seeing people putting it on the books more. Like it’s like, oh, that’s part of our budget now. Like we have to at least do the initial steps. But the numbers are pretty small. Like they’re really, really small. In fact, there was a survey done by Entrust a while ago and it was pretty small numbers from the people they surveyed. And there’s a reason. It is a major, major deal. The most you can say about their journey is that they’re looking into it in some cases and starting to do inventory. That’s what I’m finding a lot of.
I’d like to see more of them at least tackling what their crown jewels are and maybe starting to secure them with PQC first. It’s not so important for more ephemeral types of messages. But I think your crown jewels should have at least hybrid post-quantum by now. Or migrate to the cloud. This is that one time where we could say migrating to the cloud is a security relief rather than like the dread that people used to think. When the cloud first came out, everyone was like, I’m not putting my stuff on the cloud. You know, all companies were like, no, on-prem is the way. And now ironically on-cloud is where you’re safer when it comes to post-quantum.
Yuval: Is it safer because the major cloud providers have just implemented it already or…?
Konstantinos: Because they started and they’re going to continue. And you’re guaranteed that it’s going to be done pretty much. I mean, I can’t imagine that within two years you’re going to be hearing from AWS and Azure that they’re not PQC ready. That’s just hard to imagine. So I think that’s the path to migration for many workloads.
Yuval: I think a large company is going to have to prioritize, right? Do a survey, see what’s more vulnerable than others, and then maybe start this 20-year journey to go to PQC or maybe 10 years?
Konstantinos: You don’t have 20 years. You’ve barely got 10 now at this point. So we help with that. We do a whole cryptographic agility assessment, show you how ready you are to migrate, understand the cryptography you’re using now. There are a lot of considerations. There’re things like what third parties do you rely on? Are they on the path? Are there certain technologies that are never going to be on the path? Some ancient technologies do have a path forward. IBM’s Z16 mainframes, for example. Unsurprisingly, IBM knows what a quantum computer is. They’re the first ones that put them on the cloud, and they already have a path forward for their mainframes to be post-quantum, for example. So you have to go case by case and figure out what technologies you’re using, but that’s just the start. Then it’s like we said, implementing and starting to actually make the move forward. But it’s something literally everyone has to do. When people ask me, “Oh, which of your customers do you think are going to need to do PQC?” I’m like, “Literally all of them. Every single one. Every mom and pop up to every Fortune 100 has to do it.”
Yuval: Do you see any risk of hardware deprecation because of the additional computational requirements? Or is it just going to happen naturally just because hardware gets deprecated anyway?
Konstantinos: Yeah, hardware gets better. It’s funny, when ML-KEM was getting close to being released, which is the lattice-based key encapsulation mechanism, I took a look at some of the performance numbers. And it was funny. So let’s say the Kyber 512 version of that. It has a larger public key, 800 bytes compared to 256 for RSA. It has larger ciphertext, like triple. Its encapsulation speed is about half as fast. So that sounds like a recipe for disaster when you include those. You’re like, “Whoa, these are some big numbers.” But then when you get to decapsulation, it’s got 100,000 operations per second compared to around 1,400 for RSA. So that’s like 100 times faster. And then its key generation time is so fast, like it’s 125,000 operations per second compared to 30 for RSA. So that’s literally like taking the world’s fastest fighter jet, multiplying its speed by three, and then comparing it to the speed of light. So in some ways, ML-KEM is way faster. And as the other hardware scales and network speeds, I think the other aspects of it will just be sort of forgotten. So it’s that scaling that we really need to consider. And I think in many ways, performance-wise, you’ll get better performance one day from larger versions of ML-KEM. Let’s say there’s higher future levels of it.
Yuval: What pieces of advice could you give to companies thinking about this? I mean, I would imagine the first one would be start now if you haven’t already. Number two, maybe, cooperativity. What’s the third one?
Konstantinos: Yeah, yeah, those are good ones. The third one is to do a POC with critical data, like I hinted at before. You learn a lot about how your organization does when you actually enable and enact something. So picking some real high-importance crown jewel, implementing hybrid, and seeing, do you get a performance hit? Do you have any kind of technical issues? You sort of do a POC in a sandbox environment or something like that. And then you also don’t tell certain groups that something has been switched on because you’re going to get a lot of bogus emails. There’s an old IT trick. If you’re going to add something new to your organization, lie and tell everyone you did it two weeks before you did. So everything you get will be a crank call for those two weeks. I can’t get my email. I can’t log in my laptop. It’s like, we haven’t changed anything yet, sir.
Yuval: Is it easier to get budgets for PQC than regular security projects? I mean, do the executives feel scared by quantum computers and therefore maybe are more open to opening their wallets?
Konstantinos: It’s not that expensive to do the audit, the initial audit and inventory. It’s not that crazy a project. So in many cases, it’s sort of like the thing that you don’t need the top level approval. It’s like, oh, how much is that? Oh yeah, sure. So that does happen. And the other reason that the approval isn’t that difficult now is every once in a while, someone really nails the fear factor on the news. And even though I try to say it’s not that bad, you know, I do a podcast too, The Post-uantum World, and I try not to fear monger, but people get scared. Google Willow is a great example. I have seen the craziest incorrect coverage about Google Willow. It even ends up on Joe Rogan. He mentions it like three times a week and he’s wrong every time, but he mentions it like three times a week. And because Google Willow makes it sound like we’re going to be cracking encryption in the next month. And if you read some of these news stories, yeah, then it gets executives’ attention and they’re more willing to show that they’re kind of ahead of the curve when in reality, no, we’re not going to be cracking encryption this year because of Google Willow. That’s not going to happen.
Yuval: So last, I got to ask you the dinner question. If you could have dinner with one of the quantum or the security greats dead or alive, who would that be?
Konstantinos: David Deutsch.
Yuval: And why?
Konstantinos: Yeah, because he’s really the father of our field. I mean, you know, sure, Feynman proposed the quantum simulator, but he had something different in mind. David Deutsch actually wanted computation. He showed the gate-based process. He came up with the algorithm. And he even took it to that place that Google tried in their news announcement, that whole idea that maybe this is proving a multiverse or at least adding evidence to it. So I think if I can have a little stretch of time with anyone involved in quantum computing, especially, it would have to be him.
Yuval: Well, Konstantinos, I appreciate the little time that you provided me today. Thank you for being here.
Konstantinos: Yeah, any time.