skip to Main Content

About this episode

In this episode of The IoT Podcast, we continue the IoT security conversation with Shahram Mossayebi – Founder & CEO at Crypto Quantique, who breaks down the implications of the recently passed EU’s Cyber Resilience Act for manufacturers and businesses and why traditional security approaches just won’t cut it.

We dive into why security isn’t just an expense—it’s an investment in the ongoing battle against cyber threats and the changing mindset to this. We also lens in on how even the most seemingly harmless devices like a fish tank thermometer can become a cybercriminals gateway and how quantum resistant cryptography can offer future-proof solutions for unbreakable encryption.


  • 00:00 Introduction and Background
  • 03:03 The Importance of IoT Security
  • 08:11 Crypto Quantique’s Approach to IoT Security
  • 14:00 The EU Cyber Resilience Act
  • 27:20 IoT Security Regulations
  • 28:01 Challenges of Selling IoT Security
  • 29:08 Accountability for IoT Security
  • 30:22 Paradigm Shift in Security Consciousness
  • 31:19 Enforcement of IoT Security Regulations
  • 32:26 Quantum Security and CryptoQuantique
  • 33:47 Advantages and Integration of Quantum Security
  • 36:36 Post-Quantum Cryptography
  • 38:13 Quantum Randomness and Root of Trust
  • 43:17 Working with the Open Source Community
  • 48:54 Challenges in Recruitment
  • 52:06 Gadget You Can’t Live Without
  • 53:29 Passion for Problem Solving

And much more!

Thank you to our season sponsor 5V Tech. Discover how 5V Tech can help you unlock your scaling potential in cutting-edge tech and IoT – Here

Subscribe on your favourite platform:

Sign Up for exclusive email updates:

Contact us to become a guest/partner:

Connect with host Tom White: / tom5values

Niamh (00:00.388)

Tom White (00:01.476)
Ma ‘am, welcome to the IoT Podcast. How are you doing today?

Shahram Mossayebi (00:07.476)
I’m doing great. Thanks for having me.

Tom White (00:09.636)
Excellent. Well, thank you for coming on to the show. I think possibly the coolest name of a business that I’ve heard in quite some time, Crypto Quantique. It’s just great. It sounds great just to say it actually. Where did… Yeah, absolutely. Absolutely. In fact, for our French listeners, I remember many years ago, I used to have a t -shirt that said Toussaint Muet France.

Niamh (00:19.368)

Shahram Mossayebi (00:20.452)
That’s the French side, French side of it. Makes it sexy.

Tom White (00:39.14)
and it means everything sounds better in French. And I think it really does. So a little bit of an introduction to yourself, Sharam, and the business and how you came up with that wonderful name as well, please.

Shahram Mossayebi (00:41.94)
Oh, absolutely, absolutely. Yeah. Absolutely. Well, I’m Shahram Asaib, CEO, co -founder of CryptoQuantique. My background is in physics and then moving to cybersecurity and cryptography. But knowing physics and cryptography kind of led me.

Niamh (00:48.974)

Niamh (00:59.26)

Shahram Mossayebi (01:07.444)
to study quantum cryptography for my PhD, which was an interesting combination of both. And after finishing PhD, I kind of realized this big opportunity and big problem to solve around security of connected devices or the IoT. So if you guys, the IoT savvy people remember the Mirai attack back in 2016 and Jeep getting hacked.

Niamh (01:23.836)

Shahram Mossayebi (01:37.204)
So for a period of time, IoT security problems were on top of the news in FD and like those big outlets, news outlets out there, which drew my attention. It was a big problem to solve given the vast number of IoT devices in the world and how they are getting embedded to our lives. So yeah, it was interesting. And for me, the angle was how one could bring

Niamh (01:53.724)

Shahram Mossayebi (02:07.22)
quantum technologies, cryptography to address those big cyber security problems in a kind of a hybrid model. And as for the name, I wanted kind of both the same thing in the name and crypto for your audience. It’s short for cryptography and this is how people in academia call cryptography. Now it’s been hijacked by cryptocurrency people, et cetera, but…

Niamh (02:17.82)

Tom White (02:32.472)

Shahram Mossayebi (02:33.236)
So crypto refers to cryptography and the quantique side of it was a nice name of the French way of saying quantum, which kind of quantum security or other bits and elements that we’re doing in the company is going to refer to that. So, yeah, one day I was sitting in Cafe Nero thinking about what I’m going to do with my life and how I can utilize my knowledge to do something good in the world. And I thought about let’s combine these

Niamh (02:44.604)

Shahram Mossayebi (03:03.092)
these things together and solve some big problems. And the name just popped in my head, Crypto Quantique.

Tom White (03:05.42)
Excellent art. It’s a great name. And sometimes things happen just for that reason. It feels quite natural, actually. In fact, the name of my business came to me when I was driving down the motorway and it just popped into my head and it just felt so perfect at that time. And I often feel it’s your gut, isn’t it? It’s your gut telling you beyond your brain.

Niamh (03:14.364)

Tom White (03:31.62)
trying to convince you elsewhere that maybe you need to change it. So yeah, so wonderful name. So just just thank you for the overview. So just to contextualize this a little bit then. So I think it’s, you know, I think it’s entirely relevant and poignant that businesses like yours are working in the space that you do as of the time of recording today, you know, recent press in the UK, you know, Greg’s the retailer, right, you know, known for selling it sandwich.

Shahram Mossayebi (03:34.42)
Indeed, absolutely.

Niamh (03:43.772)

Shahram Mossayebi (03:55.892)

Tom White (04:01.316)
and so on and so forth. They shut all of their stores yesterday because of an IT attack. Every single store in the country, hundreds, it’s not thousands, I don’t know the name, shut because of an IT attack, unspecified IT attack. And actually, it only becomes seems front of mind to the public when something like this happens.

Shahram Mossayebi (04:06.26)

Shahram Mossayebi (04:15.978)

Tom White (04:25.86)
You’re referencing something that happened in 2016, which a lot of people know in the community. And I think sometimes that’s the issue, isn’t it? It’s that unless it’s front of mind, unless we have these attacks or something really serious happens, that people tend to kind of sweep it under the carpet or just get on with their lives, right? But it’s thanks to some of the work that you’re doing in businesses within the community that some of these attacks are becoming less prevalent, actually. So it’d be great to get into that today and learn a bit more about that.

Niamh (04:32.284)

Shahram Mossayebi (04:53.446)
Of course.

Tom White (04:54.98)
And certainly the quantum side of things, which for me just blows my mind. I mean, I came from an embedded background. I a little bit about cryptography and elliptic curves, et cetera, but don’t ask me to quote too much on it. But I think the whole quantum aspect is really, really fascinating. So in terms of the business then, so roughly what sort of size are you and what’s the kind of…

Shahram Mossayebi (05:07.566)

Niamh (05:08.86)

Shahram Mossayebi (05:11.982)
Sure, sure, of course.

Mm -hmm.

Tom White (05:22.212)
you know, mission statement, what you hope to achieve within the company.

Shahram Mossayebi (05:22.676)
Yeah, yes. Well, we are 30 people now. All engineers are in London, based in the UK. But commercially, we are already extended in APAC. So we have an office in Taiwan. And fun enough, I am right now talking to you from Taipei. So it’s almost quarter past 6 PM here.

And we have some activities in Israel, some activities in commercial activities in North America as well. And this year and next year we’re hoping to expand these activities globally as what we do. But the core engineering are in the UK. 30 people, almost a third of the companies are PhDs in a variety of fields from

quantum physics to cryptography to software engineering, IC engineering, et cetera. We have a really nice kind of intersection of different engineering fields, which makes the team very diverse and versatile. So if you’re around the office and you’re hanging out with people, suddenly you hear really, really interesting conversation going on. There’s people coming from a very different background, but talking about the same topic and their angles of how they see.

Tom White (06:45.3)

Shahram Mossayebi (06:47.566)
the problem can be tackled and solved. So it makes it very, very exciting. We have been around for seven years as a company. We are VC backed. Our big lead VCs are BGF, British Growth Fund in the UK, and Parkwalk advisors who are supporting kind of e -tech startups in the UK.

Tom White (06:53.068)

Shahram Mossayebi (07:13.902)
And yeah, on the mission side, the goal is the vision of the company is to secure the connected world with zero trust. So what we are realizing about security is there are a lot of band -aid type solutions out there that they see the problem and they quickly come up with a solution that only solves that problem superficially and they just move on. We’re trying to not…

do incremental things, but solve this problem, provide a solution to solve things exponentially, basically. So we want to be fundamental and solve things properly rather than being abandoned. But that’s a big differentiator. Because of that, we look at this IoT security problem very, very differently from a lot of other people. And I guess we were one of the early people seven years ago who realized you cannot solve IoT security without

starting the security from the hardware side, then bridge it to the software side, the embedded side, software side, then to the cloud. So it’s not just, oh, we’re just a software company or just a hardware company. So we’re trying to provide a full stack and connect all these essential elements together to provide an end -to -end security that solves everybody on the supply chain without the need to trust other people on the supply chain or be in kind of a…

Niamh (08:37.052)

Shahram Mossayebi (08:38.83)
be tied to them that they can’t do anything else and they need to always abide with that vendors or that suppliers because they’re using in a specific service from them. We’re trying to give them that freedom and control over how they want to achieve security, but do it properly that protects them for the future. So yeah, that’s what we’re trying to achieve.

Tom White (09:00.708)
Thank you for that. Yeah, I think, yeah, you’re absolutely right. Security is often seen as an afterthought or a gold plating exercise. And unfortunately, that’s where attacks can happen, right? We did a podcast recently with Codasip and they were talking about memory flow.

Shahram Mossayebi (09:19.594)
Oh, absolutely. Yeah.

Tom White (09:22.276)
attacks, and so on. And, but if you if you go from the hardware upwards and have a security first zero trust mindset, this is where it can can limit some of these these aspects. But but it’s a mindset shift, I think actually, sharam, isn’t it for a lot a lot of manufacturers? What what? Yeah, everybody, you know, indeed.

Shahram Mossayebi (09:39.104)
Indeed, yes. Everybody, yeah. I mean, this is a famous saying, security is a chain, right? And you can do everything perfect in some part of it, but if somewhere else someone didn’t do a good job, the whole chain will break. And that’s the problem. And this is being magnified in the IoT ecosystem because it’s not just, I build this device and I’m using it my own.

is you’re buying the MCU from somebody, somebody else builds the board for you, somebody else writes the software and the firmware, someone else does the provisioning to your device, someone else package everything for you, someone else do the system integration part of it, and then you use different cloud services, and then there’s a different user. So there are so many touch points that things can go wrong. And if these people don’t do their bits right or following a proper method,

then things can break. And that makes having IoT security, building IoT security very, very hard. So unless the whole mindset shifts to the point that, okay, if you fundamentally from ground up follow specific things and asks for specific things, then this is solvable. This is achievable. And this is what we’re trying to do, create a framework, providing the tools for everyone on the supply chain that can…

Niamh (11:03.58)

Shahram Mossayebi (11:07.438)
test some bits on whatever they’ve received and then build on top of it and then pass it on to the next person. Then the next person can do the same in a secure manner. And hopefully that way that this thing stay intact and you can achieve security.

Tom White (11:23.102)
I think one of the things that we need to work on together in this industry as a community is raising awareness. So having a podcast like this and getting more people, you know, the front of mind as a phrase I used earlier, because you’re right, you know, it is a chain, but you can rest assured actually that there’s always going to be a weak link, but you can’t not do anything.

Shahram Mossayebi (11:32.622)

Tom White (11:50.468)
So you can’t just forget about it because that would be disastrous and you can’t build anything. But it is a massive challenge. The example, I’ve referenced this on the podcast a few years ago of the thermostat in the fish tank in this casino in Las Vegas. You know this one? Yeah. Ah, you know the date. Yeah, yeah.

Shahram Mossayebi (11:51.054)
Absolutely. Absolutely.


Niamh (11:59.822)

Shahram Mossayebi (12:08.014)
Oh yes, 2017. Yes. Yeah, funny enough, I recently talked about that attack in one of the IoT SF event in London. Yeah, I mean, that just shows you how crazy IoT security could get and the impact of it. There is, I’m sure your audience watched Mr. Robot.

Tom White (12:17.86)


Tom White (12:36.418)

Shahram Mossayebi (12:36.526)
That is also like a geeky on Amazon Prime about this hacker that during the day he does white hat type things at night, he becomes a kind of a black hat person. So there’s the same scenario there as well that he taps into a thermostat into a data center and bears down the data center physically by kind of manipulating the whole cooling system. And then the whole data center bursts into flames.

Tom White (12:46.884)

Shahram Mossayebi (13:05.774)
When that episode came out, I spoke with some people here in the UK from a very famous networking company. I don’t want to say the name, but they said they saw that episode and they actually thought, is this really possible? Can we really do this? And they emulated the attack and they actually managed to physically do the attack, show that this attack is possible in real life.

So that makes it very scary. And then that fish tank is a great example of maybe to not to that extent, but someone just getting through connected thermostat and then finding a way to the WiFi, through the WiFi to your local network, then the enterprise network, then getting all the data out. And yeah. It’s…

Tom White (14:00.868)
When do you think this will change, Sharam? So, you know, we had this in, you know, 2017. You know, you’ve been doing some excellent work. I mean, the ratio of PhDs in your business is probably the highest I’ve ever heard of any business, right? And you’ve got some bright minds and some really clever people doing this. I mean, is this something that is, you know, is always going to be a problem? Or do you think that we’re going to break the back of it and actually

Niamh (14:06.798)


Tom White (14:30.404)
get to grips with it in coming years. What’s your view on that?

Shahram Mossayebi (14:35.662)
Well, so I guess the good news is we see a paradigm shift on the ground, on the manufacturing floors, through the supply chain, end users, regulations, CRA asking for these things, for instance, we’re going to talk about it. So we’re certainly seeing a shift and awareness and people have started changing things and being more alert about it. A great example of it is which .com, the website that checks the quality of

consumer goods, et cetera. Now it actually has a segment for file secure, easier connected, I don’t know, baby camera. They actually look into the security. They said, oh, we easily hack this device, don’t buy it. And they rate the security of connected devices in consumer electronics, et cetera. So you see these elements being more colorful every day and every day. And I’m sure because of the regulations.

it become at least in Europe and hopefully, you know, other part of the world becomes better and better and better. And the fact that there are other regulations, industries are pushing for standards and frameworks, they’re all pointing towards that direction. So hopefully, things will change and will improve in the next year or two. I believe it would. The bad news is security is still being looked at as an added cost, not a value add.

Niamh (15:49.308)

Shahram Mossayebi (16:01.326)
or how it can enable other capabilities for the end user or for the manufacturer or brand, et cetera. So because of that, I’m still worried that a lot of companies will find ways to get around it and just ship things that are not really secure, have those type of band -aids, false security promises on the product that could fool people and they can still sell on a cheaper price to compete. And then those will cause havoc.

in our lives because they will be found on the internet.

Tom White (16:35.46)
Yeah, yeah, I think, I think it’s, I think, yeah, personally, I think it’s always going to pose an issue, because as security gets better, you know, hackers and crackers are going to get better at what they’re doing. And so you’ve got this constant race, you know, good V, good V evil. But but you’re right, I think the consumer mindset and the witch actually is a really good example, because that is the consumer’s guide.

to actually white goods and others. In fact, I follow them on Instagram. I learned the other day that you don’t have to put the washing tablet in the hopper. You can just throw it in, right? So I think it’s a great publication, but also shows that people are taking this more seriously. Now, this is a really nice link, Sharam, into another topic that we’re gonna talk about today about regulations and acts that are coming into…

Shahram Mossayebi (17:21.742)
Mm -hmm.

Tom White (17:29.808)
into place that weren’t previously there. So the EU Cyber Resilience Act. So some of our listeners and viewers may know about this and some don’t. So would you mind doing me the honours and just explaining what this is and why we should take note?

Shahram Mossayebi (17:33.134)

Shahram Mossayebi (17:45.134)
Of course, yeah. So back in 2021, finally, EU kind of have this conversation. So just a quick, like a background, pandemic made a lot of people connect a lot of devices, especially on the industrial scale, through the internet, because suddenly they realized that they need to be able to work remotely. And that meant a lot of these devices already had vulnerabilities, known vulnerabilities in them. Now they are connected to the internet.

At that turn, the cybercrime skyrocketing. And as a result, cost of the economy billions and billions of dollars in the past couple of years. And that suddenly alerted all these governments, especially EU and UK and US, that they’ll be losing a lot of money because of the cybercrime on the connected devices. So back in 2021, the conversation started inside European Union and the parliament at how can we…

prevent this? How can we secure connected devices or the IoT? So that’s where it’s coming from. So they started the process in 2022 or early 2023. They actually put out the framework of what they mean by IoT security, which is the most comprehensive technical IoT security definition at the regulation level I’ve seen. They are

they are recognizing the fact that you cannot achieve IoT security without paying attention to the hardware security. And there needs to be a link between hardware security and software security and then the cloud, et cetera. So they really going or following a security by design paradigm from ground up for any connected device. But then they’re categorizing the different type of connected devices, whether it’s a critical one because it sits in factories and national infrastructure.

et cetera, or is a less critical one, still connected that you need to have some levels of security. But if it gets hacked, the damage is not as important, perhaps. So it needs different layers of security, but it still requires that security by design element inside. So this is how it started. And about a week ago, it finally passed. So with

Tom White (19:53.118)
Hmm. Hmm.

Shahram Mossayebi (20:06.766)
overwhelmingly passed, the law passed in the European Union, and now is with the states to individually pass it. So I think in couple of months, it becomes the law in the European Union. And there is a 12 month and 18 month, depending on the type of device, to be enforced. So sometime in 2025, this will be enforced. And if you’re already shipping a connected device to European Union,

you need to be aware of that because in a year or so someone might put their finger on saying, oh, this doesn’t comply with CRA and you might be in trouble. So a little bit about the details of CRA.

Shahram Mossayebi (20:51.31)
So first of all, it’s not just about the end, the last person or brand company who sells the device. They are taking into account everybody who touched the device to build the device. If you provided just a component for that device, that component plays a role that could…

the security of the device overall, you needed to play your own role to prevent that. So you could be a software designer, you could be component provider, you could be the company who designed the whole board, you could be a distributor who brought the device from APAC to European Union. They will go after everybody if vulnerability is found inside the device.

And they are asking for some basic things. So basically from a…

Again, security by design principle, they say each device needs to have its own unique identity that can be recognized and verified by cloud services, for instance. So you cannot just use a default password for all your devices. The device actually needs to be able to, in a passwordless way, authenticate itself to you or to a service, and that needs to be unique to that device. That identity needs to be stored securely.

at the hardware level inside each device. And then once you have those things, then this device is connected by an end user to a cloud service. And let’s say vulnerability is found in the firmware or the software that runs inside the device. That is fine, but you should already have a mechanism for that device so the owner or the user can update or you can update and patch that vulnerability remotely and securely.

Shahram Mossayebi (22:44.366)
And if you don’t have any of those and those are being found by regulators inside European Union, you will be given a short period of time to quickly fix it. Or then you will get big fines. We’re talking about 10s and 20 millions of euros, or depending on how the size of your company could be even bigger. And the devices might be recalled from the market, et cetera.

So very much like the GDPR that there are like very severe fines around it is the same kind of the following the same the same model for CRA as well. Absolutely, absolutely. There are a couple of areas that they really like about it how it’s been.

Tom White (23:11.172)
Yeah, that’s really going to help combat the weak links that we spoke about earlier, right?

Shahram Mossayebi (23:34.058)
defined. Obviously, they recognize and they believe that this doesn’t will not make all the devices hack proof and that that is fine. I think what they’re trying to achieve is making sure all the devices has a certain level of security in them that makes them secure against the usual hacks and attacks and easily being broken basically. But also if something found in them, we still can patch them and prevent from them.

posing a big, big, big problem in European Union, et cetera. The other aspect is how technical they are explaining the security, the fact that they’re really going deep into the hardware security aspect of it and the connection to the software security aspect of it. That’s also very interesting to me.

Tom White (24:27.076)
Yeah, I think, you know, what this is doing is creating a benchmark and raising the level of interest and focus on a certain level of security, right? As you say, you know, they’re not saying you have to guarantee it’s hack group, because you couldn’t guarantee that. You know, we spoke earlier about good for evil and the balance racing all the time. It’s impossible.

say that, but it stops negligence, you know, when it comes to security and when there’s no security, you know, in fact, I was having a conversation with one of your one of your team at an IOTSF event a couple of years ago, and they were talking to me about, you know, going to a CCTV convention, and asking everyone who does the security and no one could answer the question. No, no, no one could say who did the security, what it was actually how it worked, etc. So,

Shahram Mossayebi (25:11.438)

Tom White (25:27.172)
I think what this does is it stops that from happening and it stops the really bad cases. But my hope is similar to the GDPR as well, and my personal view on it, is that there’s a pragmatic approach to be taken. So we’re looking to say to the manufacturers and the people in the chain that are showing negligence around security that that’s not okay. But actually the people that are doing quite well that may make mistakes or that aren’t perfect.

Shahram Mossayebi (25:40.91)
Absolutely, yes. And I think they have done a good job. And also, again,

Tom White (25:56.708)
that we’re not going to chastise those people too harsh as well. So there needs to be a balance, right?

Shahram Mossayebi (26:08.142)
they categorize different devices. So not all the devices are super critical and needs to have the up -notch security level, et cetera. Not all the devices needs to go and be certified by independent bodies. A lot of the devices, they claim 90 % of consumer electronics, for instance, can be kind of go through a self -assessment by the manufacturers and, OK, we provided this, we provided this.

you can do this, you can do that. So we followed all those regulations that you asked for. So this is certified. And then if later on they randomly check and see things, if they found you that you haven’t been compliant, then yes, they’ll come after you. But generally, it seems that they’re not trying to be very harsh about it. We kind of push everyone.

to a very, very high standard security, but put a really good framework in place and kind of guide everybody, please follow this and try to implement as much as possible, depending on how sensitive your device is and who the end user is, basically. And like GDPR, I’m hoping once this is happening in a couple of months and a year at most,

Tom White (27:14.148)

Shahram Mossayebi (27:20.898)
pretty much the rest of the world follows. I mean, already there are over 20 plus type of IoT security regulations going around the world, UK, US, Europe, Australia, Singapore, a lot of other countries are looking, doing these things as well. But hopefully once this happens, pretty much everyone follows suits and follows the same standards. And that also helps with the headache that the manufacturers have because

the shipping and exporting to all sort of places in the world. So it’s hard to follow up with different regulations as well.

Tom White (28:01.412)
guess also from a business.

business for people in your field, working in security and helping customers improve their security because you’re likely to receive, and one would imagine, a lot more requests actually for help, I would say.

Shahram Mossayebi (28:17.718)
Indeed, no absolutely. I mean, anyone who worked in the security domain knows selling security in general, whatever that is, is not an easy task because as you said, security always been an afterthought anyway. So generally selling security is hard and is even harder in the IoT ecosystem because of the fragmentations and…

the lack of clarity of accountability for security, who is actually in charge of security, why the device manufacturer should pay for security if the end user actually benefits from security. There are always these conversations around who is accountable for IoT security. And this is actually one of the bits that CRA is addressing because essentially taking everybody into account, saying whatever you’ve done.

you had a tiny bit play for cybersecurity aspect of this and you should play that rightly. For a couple of reasons, we started since maybe nine months ago, we started seeing the paradigm shift on the ground. Definitely CRA and the fact that now you cannot get a CE mark if you’re not being compliant with CRA from a manufacturing point of view that is obviously putting

Tom White (29:25.252)

Shahram Mossayebi (29:38.896)
manufacturers to be more careful and conscious about, can I get my CE mark in the next six months or not? So definitely are asking for help how to be CRA compliant, which we’re happy to help them. On the other hand, we started hearing more requests to help for…

integrating security by design into different products because now the end user, regardless of the regulations, are security conscious. They are worried about their data. They are worried about their AI model that they are running at edge, where the IP goes, where my data set goes, and all sort of things. So there are a lot happening at the edge that…

that makes the user or the owner of the edge more conscious about security. And that being translated going down the line and now reaching the manufacturers. And so that’s another aspect that we have already started seeing a paradigm shift on the market and people being more security conscious and asking for security.

Tom White (30:38.728)
Yeah, I think overall, which is a good thing, much like GDPR, you know, I think businesses, you know, when they when they heard this, you know, coming into force in 2018, you know, felt it was another challenge that they had to deal with. But actually, if you see it from a consumer point of view, you know, you don’t want your

you know, your details being fragently spread around and so on. And, and actually, you’ve really got to look at the US and see that it’s the land of the cold calls, right? You know, people are frequently being sold things because GDPR isn’t an act there, there’s similar privacy acts, of course, but you know, this, this ultimately is, is, is a responsibility measure, right? So I think it’s, I think it’s a, I think it’s a good thing. I think it’s a good thing.

Shahram Mossayebi (31:19.982)

Indeed. I agree. I agree. Yeah. And the other aspect of it is, which European Union is really great at is not just coming up with the regulation, but actually enforcement. California, I think around 2017, they came up with the very first IoT Security Act. They were the very first one that actually put something out as a regulation for IoT security. But I never heard that this has been enforced in California.

Tom White (31:37.184)

Shahram Mossayebi (31:56.086)
Based on the act, you cannot import any connected device, even being a doll, for instance, or a toy, to California if it doesn’t have infrastructure for secure update over the end. But I never heard that anyone actually went and checked and someone got fine or things like this. So I didn’t see any enforcement. But the European Union from GDPR, we know that they will be very serious on the enforcement side.

Tom White (32:25.184)
Yeah, absolutely, because with no accountability, you know, comes no reason to do it. So I think moving on just quickly, if I can, about how actually your, because it’s really interesting stuff, it’s really, really good, but I think how actually CryptoQuantique are working towards this from.

Shahram Mossayebi (32:26.062)
And that’s what makes it different. Yeah. Yeah.

Tom White (32:50.852)
from the quantique side, so from the quantum side. So it’d be interesting to dive into that a little bit because quantum for me, I am fascinated by quantum. The Schrodinger’s cat analogy, the super state, it’s just everything that we’ve ever learned about computing from a binary point of view or going down to NAND and NOR gates, being on and off, it seems like you throw it out the window.

Shahram Mossayebi (32:51.634)

Shahram Mossayebi (33:07.95)
Of course.

Tom White (33:20.43)
It’s completely separate to how quantum can work and how it can interact.

of security that can be involved with Quantum and with acts like this, from a high level point of view, what are the advantages and what are you kind of working towards with some of your customers and how can we integrate Quantum and are we there yet? I guess is my question.

Shahram Mossayebi (33:47.406)
Yeah, yes, of course. I mean, from a quantum security point of view, we have been, industry in general, has been way ahead of quantum computing side of things. So quantum computers and how we want to build them, what algorithms we want to run them, that’s a way more complex scenario that still is progressing. And some people are making good progress in the field using different mediums, et cetera, to achieve to a

to arrive at a universal quantum computers that actually can do all sort of computation. But I believe we are still some years away from that estate despite the recent kind of achievements and progress that the industry have made. On quantum security side though, we have been way more advanced. So,

Niamh (34:43.612)

Shahram Mossayebi (34:44.47)
Quantum key distribution been around since early notice, since 2008, 2009, became commercialized. And now there are all sort of big companies selling quantum key distribution protocols. These are devices that create an end -to -end. So between two points, use a form of light to basically send bits from one end to the other end.

And because of the quantum laws, if someone in the middle tried to read what bit is being sent from A to B, that will disturb the system. And then the two people involved in exchanging those information through light can detect that. Hence, it’s kind of unbreakable in that sense. And no one can ever eavesdrop on this model without being found out. Hence, A and B can redo the model or find other ways to extend.

the secret between each other and relies on how quantum physics works and how quantum measurement works, for instance. So this been around and being used, but because the fact that it kind of only works ad hoc end to end in that sense, and it’s limited by the distance between A and B, et cetera, from an industry point of view and application point of view is very limited.

Also, the devices are too big, so you can’t really have them on a chip inside an IoT device, basically. But it gives you a good concept for quantum security or unbreakable security, basically. Then moving from there, you see cryptography evolving into post -quantum cryptography or quantum secure cryptography, which are the usual algorithms that we knew, the mathematical models that we knew, such as elliptic curve that you mentioned.

But instead of relying on hard problems that we know quantum computers can break and solve and break the cryptography algorithm, they are relying on other hard mathematical problems such as lattices or some others. That right now we don’t know if quantum computers can break them or not. So we certainly don’t know any algorithm that can run on a quantum computer and break those or solve those hard problems. So we believe, or the community,

Shahram Mossayebi (37:05.966)
believe that there are some hard mathematical problems that will withstand the power of quantum computers. And we still can build cryptographic algorithms on top of them that could be around and keep us secure in a normal way that we do it today. A piece of software, easy to commute, exchangeable, and deployable, even while quantum computers are around. So that’s one aspect of what we do. But…

Shahram Mossayebi (37:46.03)
run versus elliptic curve, ACDSA, things like this, especially on resource constrained IoT devices. What we’re doing is we’re finding ways to make them more efficient for low resource devices to achieve quantum security even on those devices at that cryptography level. Then there is another aspect of quantum security which we do, and that is

How can you use locally, can you use some quantum phenomena to generate the randomness that then you use for cryptography to generate keys, generate identities and things like this. And that’s where we have utilized quantum tunneling that happens on silicon today on CMOS to either generate randomness, just a stream of random numbers, like a quantum random number generator, or use it as a path for root of trust. And that’s the

That’s two silicon IP that we have that reads the very, very low current of gate leakages that happens because of the direct quantum tunneling at the transistor level and uses that to either create a pool of randomness that is reconstructable and that become a path or just use it to produce a stream of random numbers to be used for cryptography or other means.

And this, when you look at it, at the face of it, it just looks like a normal silicon IP that you just drop into any chip. And we already have integrated it with some semiconductor companies and chip designers in different process nodes on TSMC and global foundry fabs, basically. And so that’s the other aspect that we do. The quantum side is interesting in that aspect because in case of the puff,

It gives you a higher level of security and reliability versus any other path that classically are using classical method to generate the path effect. And so for instance, the way quantum tiling works, by child attacks just doesn’t work on them. So you’re just inherently secure against that child attack. And about 18 months ago or so, we got that verified by an independent security lab in France.

Tom White (39:56.58)

Shahram Mossayebi (40:07.516)
So they ran common criteria tests, AAL4 plus type side channel attack tests on our test chip and they couldn’t get a bit out. So we have proven these things on the app. So it gives you these higher level of security just because you’re playing with this kind of quantum phenomena. And on the randomness side, it just gives you better higher entropy or reliable entropy for which always valuable when it comes to cryptography.

generating keys and exchanging keys.

Tom White (40:39.14)
Yeah, I think it’s a wonderful overview. Thank you for that. I have a question for you and what you’ve said. We’ve been speaking about resource constraint devices for a long time in the industry, but is any device now really resource constrained? Because a resource constrained device 20 years ago to compare to what it is today is quite different, isn’t it? So what denotes a resource constrained device today?

Shahram Mossayebi (40:49.788)
Yes. Yes.

Shahram Mossayebi (41:02.298)

Shahram Mossayebi (41:07.004)
And I think from compute PowerPoint for you, even the low level MCU today are pretty powerful. So to your point, I don’t think we really have a compute power problem, but we do have, when it comes to post quantum cryptography, we will have memory problem. So the flash, the amount of flash that is available.

inside MCUs or the S -RAM that is available inside MCUs, et cetera, that is not enough if you want to run quantum secure cryptographic algorithms on your MCU, because usually their public key or their private key could easily be like a megabyte. That’s just too much for an MCU, for instance. So these are the kind of problems.

Part of it we can solve with having a path that can handle multiple keys, such as our QDit path. So you don’t actually need to store anything inside memory. You just generate them on the fly and use them, and that’s it. But in some cases, yes, you need to find a way to store some of the secrets. The other side is the size, the number of handshakes that needs to be done. Again, the bandwidth that they use is

is too much or then the size of the signatures are too much. So these are nuances that in a protocol in cryptographic algorithms we’ll be trying to improve so it makes it better to run on even low constraint IoT device.

Tom White (42:48.74)
Got it, got it. Thank you for that. Yeah, it’s an interesting question. It’s always a challenge you want to answer, but yeah, I think you’re right. It’s a memory limitation as opposed to a compute one because it’s physically not the space to be able to put it there. I wanted to ask you, as I’m coming to the end of the podcast today, about the open source community and your views on working with the open source community and its effect on security in general. So…

Shahram Mossayebi (42:56.804)

Indeed, indeed. Absolutely, yeah.

Tom White (43:17.988)
Some of the greatest initiatives in computing have come from the open source community. Linux and GNU and various initiatives over the years. What’s your view on working with the open source community?

Shahram Mossayebi (43:24.252)
Yes. Yeah. Yes.

Shahram Mossayebi (43:33.884)
I think it’s a valuable asset and when it comes to cybersecurity definitely. So for instance, on the on the tip side on the hardware side of things, we are a member of open hardware group, RISC -V, open hardware group, RISC -V International, GSA, the Global Semiconductor Alliance. So we definitely see a lot of value for the community come together and work on

common goals together and then open source that for the end users for various reasons. One is people see how things need to be done properly. Like for instance, when you want to design a chip and then you look at some of these designs, open source designs that are available and they have taken care of memory management, secure boot, secure compute and things like this. The least is you learn from the…

Niamh (44:32.252)

Shahram Mossayebi (44:32.476)
or there is a source that you can trust and other people are working with that you trust. And from a cryptography point of view, we always believe in making everything available so people can attest the security aspect of it, they can verify the security aspect of it. And if there are vulnerabilities, it’s being announced openly and being fixed versus black boxes that you don’t know.

Niamh (44:54.876)

Shahram Mossayebi (45:00.988)
going on inside. And sadly, history showed us that a lot of the time things could go wrong massively. And then, yeah, it’s too late to do anything. So definitely when it comes from security, I mean, cryptography essentially is an open source community in general, because all the algorithms that you use from a cryptography security assessment, the very first assumptions that you make is the adversary knows the algorithm.

Niamh (45:25.436)

Shahram Mossayebi (45:28.892)
You only think the adversary doesn’t know is the secret key. Now show me how the adversary can break this. So this is basic photography when you design a new algorithm. And seeing this on other variety of security communities, I think is very valuable. I think it helps educating the ecosystem, helps educating different companies, but also giving them confidence in what they need to be.

what they are integrating, what they’re using, or what they need to be doing. So we are very supportive of the open source community. There are some challenges when it comes to CRA for open source communities, such as Linux and others, because CRA keeps all the component vendors accountable for security. Now, if as an end user, you get your Linux kernel from an open source community,

and something goes wrong there, then the Linux community essentially is accountable now. Or, and that might make the vendors to kind of avoid going and getting files and libraries from open source community because they can’t guarantee security or there’s nobody really accountable on that side. But there are some right now frictions between open source community and the whole CRA regulations.

Recently I heard they are trying to find a way to solve that so people still will use the open source software and other things even though they know that there is this thing that they need to abide with.

Tom White (46:59.528)
We don’t want to take a step back, right? So, you know, the CRA is taking a step forward. So we actually don’t want to stop the community being able to help improve security.

Shahram Mossayebi (47:22.684)
Indeed, indeed. Of course, but also at the same time, maybe this is a great opportunity for the vendors to be more active in the open source communities to do those tasks of security aspect. Let’s contribute more. A lot of things are being done by the open source community. Let’s take responsibility and help with the security aspect of it.

Tom White (47:24.312)
by worrying them of retribution, right?

Tom White (47:45.764)
Yeah, yeah Yeah Yeah Yeah, yeah, I have many friends that That write comments to the to the limits kernel and so on. It’d be interesting to see their foot their thoughts on this and

Shahram Mossayebi (47:50.288)
So we can make sure that the open source is compliant with CRA, et cetera. So that’s another angle to it, perhaps. We can even improve the open source community processes.

Shahram Mossayebi (48:07.396)

Oh, absolutely. Yeah. Yeah, absolutely. Absolutely. And yeah, I mean, if you Google, you come up with a lot of a lot of interesting conversations. People weren’t happy initially, but I think now CRI are making some changes to accommodate some of the concerns from the open source communities. Yep.

Tom White (48:11.876)
so on right you know

Tom White (48:28.324)
I think it’s the headline though, isn’t it? The headline here is that we’re, you know, ultimately, what are we doing this for? You know, we’re doing this as a good thing, you know, and it should be perceived as a good thing, which if not even perceived, it should be noted as a good thing. Could perceive some perceptions, slightly different things. Sharam, it’s been wonderful having you on the IIT podcast. I’ve really enjoyed the conversation. I think we could have gone on for…

Shahram Mossayebi (48:42.896)
Absolutely. Thank you.

Tom White (48:54.468)
for hours and hours about various topics. But I think we’ve given a really good overview of you, your business, incredibly bright minds, clever people doing some really important things for everyone. And I think we talk about the community, but actually it’s beyond that because it’s everyone that interacts with the device, everyone that uses technology on everyday lives, which is synonymous with where we are at the moment. So as we come to the end of the podcast, we always go for a quick couple of…

Shahram Mossayebi (49:09.244)

Tom White (49:23.844)
questions which I’m going to do with you now, Sharam, if that’s okay. It’s a little bit more like -hearted. So we’re coming up to stack a little bit actually from post -quantum securities or something a bit more like -hearted. In general, what challenge would you, that you face, would you like a technical solution for that currently isn’t there in the world?

Shahram Mossayebi (49:24.956)

That’s it. Sure.

Shahram Mossayebi (49:47.616)
Interesting. I would say kind of finding and hiring the best people is hard. And sadly, I don’t think recruiters are helping much, to be honest. So yeah, if there was a technical solution for that, that would be brilliant.

Tom White (50:11.908)
I think, do you know what? I mean, I could answer this a lot, owning two recruitment businesses in this space. I’d say that the problem that you have with that is people are people. And people sometimes don’t necessarily just want to interact with a machine and an algorithm, right? So you need the bad recruiters to make sure that the good ones, you know that they’re good. Which is unfortunate. Which is unfortunate.

Shahram Mossayebi (50:29.564)

Shahram Mossayebi (50:37.148)
That’s also true.

Tom White (50:40.58)
but unfortunately it’s the way of the world, right? I think LinkedIn, you know, tried to solve this. Their whole mission statement of manifesto was to remove the link, but unfortunately what it has now done is it’s driven the great people away. So the great people aren’t on LinkedIn because they get spammed constantly, right? So, yeah. So it’s a difficult concept. I feel like we’ve opened…

Shahram Mossayebi (50:53.952)
Yes, tell me about it, yes.

Tom White (51:07.828)
open a box of frogs here with lots of, yeah, yeah, with lots of different ways to talk about it. But that would be interesting. And I think if someone could nail that, they’d be onto a good thing. But many have tried. But I think ultimately what it boils down to in my view, and you can tell I’m quite passionate about this, I think is someone wants to talk to someone and they want their experience, their opinion. The reason why…

Shahram Mossayebi (51:08.92)
Adorable, yeah.

Shahram Mossayebi (51:30.948)

Tom White (51:35.588)
generative AI can produce such wonderful copy quite quickly and it’s getting better. I mean, sometimes it’s not good. The reason why people read the opinion of Jay Rayner when he’s a restaurant critic or Jeremy Clarkson, because they like the opinion and they trust the opinion of that person. And that’s something actually that technology is going to find difficult to replace certainly when it comes to something so important like moving jobs in my humble opinion.

Shahram Mossayebi (51:58.876)
No, no, no, I absolutely agree. Absolutely agree.

Tom White (52:01.54)
Yeah. A gadget that you can’t live without.

Shahram Mossayebi (52:06.844)
I’m holding my phone sadly. Oh, they keep removing things from…

Tom White (52:09.448)
Same, same. In fact, I forgot to put mine on silent before the podcast and I think it was going off and it’s the new iPhone. It doesn’t have the button that you can just turn to silent anymore. So yeah, well now I have a great idea that the button can do lots of different things. But all I really want to do is turn it off. I don’t want to turn the light on or make another call. I just want to turn it off. So I was actually thinking that when it was ringing early. I was thinking, why isn’t the button just there now?

Most unexpected thing that you’ve learned this week, maybe there’s something from Taiwan.

Shahram Mossayebi (52:47.196)
Most unexpected thing that I learned this week. I learned some nuances and complexities in Chinese language. Yeah. How one word means three different, totally three different, have totally three different meanings. But the way you said is just by moving the accent, either a little bit forward or a little bit backwards. It’s just incredible how complex this language is.

Yeah, so that was unexpected for me.

Tom White (53:21.572)
How interesting, how interesting. And then finally, something that you’re passionate about, Sharam, outside of work.

Shahram Mossayebi (53:29.244)
Something I’m passionate about to be, you know, no, no. So, but this is the thing since, so when I was a PhD student, I used to be very active and do all sorts of sports and art and have passions basically. But when you start a company, and I’m sure you probably, it probably resonates with you, when you start a company,

Tom White (53:34.308)
Don’t say security.

Shahram Mossayebi (53:57.108)
suddenly becomes your world to the point that you basically drop everything and you really push hard for the vision that you have and the mission that you want to achieve. So it’s hard really to think about anything outside of the world that you’re in, which right now for me is IoT security, to be honest. But I think my passion always been problem solving.

generally. So, and that problem could be any problem outside of my work as well. But something that is interesting to read about, learn about and try to move the needle a little bit or move the boundaries a little bit. So, I think that’s what I’m passionate about. And right now is IoT security and quantum security and things like this.

But outside of the board could be helping a friend or helping a group of people trying to achieve something else or learning about a new subject and ideating about new things.

Tom White (55:03.332)
Do you know what, I thank you for that. That was a great answer. I think I’m exactly the same as you. When people ask me that question, sometimes I remember hobbies that I had when I was a kid, actually. And then you think, well, actually, I don’t really have anything outside of work. But I think it’s very poignant because the problem solving, great, you know, engineers mindset, clearly. But also, I think sometimes we all need a bit of downtime and realize, you know, that it’s good to take a break and it’s good to do something different.

So maybe if we take one thing from this actually from this podcast outside of security, maybe we just both need to refine what our passions are, right? So there we are.

Shahram Mossayebi (55:33.87)
Indeed. Yeah.

Shahram Mossayebi (55:42.232)
Indeed, yeah, absolutely. Believe it or not, I used to play rugby. From there, I’m here now. But yeah, I’m trying to keep active here and there. But yeah, so yeah.

Tom White (55:48.868)

Tom White (55:52.844)
Same. Yeah.

Tom White (55:59.332)
We’ve got to make the time for ourselves because no one else is going to do it. You know? You know? Sairam, thank you for joining me on the IoT Podcast. I’ve really enjoyed the conversation. It’s been a great… Yeah, it’s been fantastic. I’ve really, really enjoyed it. Thank you. And I’ll see you soon.

Shahram Mossayebi (56:02.084)
Indeed. Oh absolutely agreed. Yes absolutely agreed absolutely agreed. Yes.

Shahram Mossayebi (56:10.212)
Thank you.

Shahram Mossayebi (56:13.564)
Thanks for having me.

Likewise. Thank you.

Thanks so much. It’s been great. I appreciate it. Thanks for having me and have a great day.


About our guest

Shahram Mossayebi, Founder and CEO of Crypto Quantique, is dedicated to revolutionising IoT security. With a background in physics and cryptography, combined with years in cybersecurity, Shahram founded Crypto Quantique to offer a holistic, user-friendly solution. Their groundbreaking approach integrates physics advancements into low-cost devices and intuitive software, ensuring robust security for IoT applications.


Crypto Quantique pioneers transformative solutions in IoT security. Committed to revolutionising the landscape of cybersecurity, Crypto Quantique combines cutting-edge advancements in physics and cryptography with intuitive software to deliver robust, scalable security solutions for the Internet of Things (IoT) ecosystem. By integrating groundbreaking physics innovations into cost-effective devices and user-friendly software, Crypto Quantique ensures comprehensive protection across diverse IoT applications, from connected cars to high-end consumer goods.

Find out more about Crypto Quantique: Here 

Connect with our guest