Post-Quantum (or PQ) is the British cybersecurity startup that just won’t give up on its strange, unsettling vision of the future. Techworld recently caught up with it for the second or third time since it was founded in early 2009, still toiling away making software designed to cope with a world where quantum computers have smashed today’s encryption to smithereens.
This world doesn’t yet exist but that hasn’t stopped PQ quietly building a suite of secure communications software to cope with the serious consequences for the day it does. It can sound pretty far-fetched at first. Who wants to buy software for a world that is, in all probability, at least 10 or 20 Years hence? It turns out the company’s technology has useful applications today but CEO and explainer Andersen Cheng is very upfront about his experience with wary VCs whom he admits have often glazed over when they first hear the rarefied PQ technical pitch.
Out of the blue, in July 2016, after mostly self-funding PQ for years on their own plus with only a small investment they got from being part of the Barclays’ Techstars accelerator programme, something unexpected happened: VMS Investment Group and AM Partners wrote a cheque for £8 million (around $11 million at today’s depressed rate) in series A funding.
Getting such a healthy round of investment at series A is impressive but doing so seven years into its existence when ongoing funding has been minimal is highly unusual.
Good news for sure but it raises a fundamental question – why has Cheng and his band of distinguished brilliant co-founder brothers, CTO Dr Cen Jung Tjhai and Professor Martin Tomlinson of Plymouth University, stuck at it when most sane men and women would have moved on to something else years ago?
The answer might have something to do with Cheng himself, who is by turns honest and defiant about the problems his company has faced in being taken seriously. With a degree from Imperial College, followed by experience with various spin-offs and incubation projects and time working for US Carlyle Group, Cheng is probably, dare one say it without invoking cliché, an old-fashioned, dogged maverick.
Cheng traces the moment of PQ’s genesis to a conversation he had with Tomlinson in 2003.
“One day he came to me and said that when quantum computers appear the whole of computing infrastructure will be bust,” opens Cheng, before spelling out the limitations of today’s world in which encryption remains intact.
“We are within three years of having a major a major cyber-Armageddon. We are close to meltdown.”
The feeling that the failures of security are starting to generate large but often hidden problems plays on his mind, as it does on many others in the security field.
From this, after a lot of hard work by a small team at SRD Wireless (which morphed into PQ), funded by contracts from the UK Government, the PQChat secure messaging app emerged in 2014. Based on the obscure but intriguing 1970’s McEliece crypto algorithm, is described by Cheng as a patented a ‘never the same’ (NTS) design in which no two messages have the same encrypted output.
It got a lot of press attention as a ‘more secure’ WhatsApp than WhatsApp (the latter has since upgraded its security to use Open Whisper Systems’ Signal protocol) that was, it claimed, secure to whatever damage quantum computers might do to encryption. This is a highly theoretical claim that remains to be proven and it’s worth underlining that the NTS system is proprietary and therefore not open to external inspection in the way that Signal appears to be.
Cheng is endearingly open about the scepticism of the market.
“It’s been a difficult pitch for us,” he says. “Selling encryption is a very difficult proposition because people will not believe you.”
He goes even further, admitting that he and the other founders even thought of quitting at one point after PQChat launched but didn’t quite take off as a standalone app. White hats loved it but by the time it appeared on an ISIS recommended secure applications list, the team was having second thoughts. The app disappeared from the App Store and is now available only as part of the firm's enterprise toolkit.
“People have been laughing at us, saying it is stupid. […] “We were on the verge of giving up but decided to carry on.”
Although Cheng downplays it, a turning point might have been being accepted into the Barclays 2015 Techstars programme, a 15-week accelerator course that seem to rejuvenate the company’s self-belief.
Post-Quantum - Microsoft office for security
Since then, PQ has added three new bits of software to its roster, PQ Check (and authentication app), PQ Share (a secure sharing app), and PQ Guard (the underlying encryption engine used in the firm’s software). Each can be used standalone but work best together, says Cheng, who goes on to describe the combined effect as being like “Microsoft office for security”, at which point people “people get it straight away.”
Post Quantum today feels like it is enjoying its own second coming. Very few people really understand what it does and it’s still ahead of a customer base that does seem to be biting at last. That might have more to do with the boom in interest in secure messaging inside businesses and the urgent need to boost identity systems beyond today’s crude technology.
At times, the PQ story has sounded like the rubber baron Fitzcarraldo hauling his steamboat over a mountain in search of an imaginary redemption. With money behind it, execution will be the new story, the need to sell the software to real customers. The fact PQ s still here feels like a small miracle. In the end, like Fitzcarraldo, what you most admire in the founders is their dogged refusal to give up.