Quantum computing might still be years away—but the risk to today’s data is very real. Janne Hirvimies, CTO of QuantumGate, explains why organizations must begin their post-quantum migration now.
So tell us a little bit about QuantumGate.
QuantumGate is a startup from the ATRC ecosystem. We’re a government or semi-government entity, and we launched last November in response to the UAE’s post-quantum regulation. That timing was intentional.
If we zoom out from the UAE, which is actually one of the leading countries globally when it comes to the post-quantum migration, we see that the UAE is ahead of the curve—especially in terms of regulation and compliance. The U.S. has already laid out post-quantum requirements, and the UAE is following suit. Europe is still mostly issuing recommendations, not enforcing compliance yet. Saudi Arabia is currently drafting regulations. So globally, the momentum is building.
The clock is ticking. Globally, the consensus seems to be that by 2030, systems need to be compliant. That’s why now is the right time. There’s real momentum. We launched QuantumGate to focus specifically on post-quantum migration and offer solutions to help future-proof data security.
Quantum computing is still maybe 10 to 15 years away—so why is everyone talking about it now?
That’s fair. I was just in Arizona recently speaking with IBM experts. IBM is definitely leading the quantum computing space. They were also asking the same question—how far away are we really?
One expert told me he estimates we’re five to seven years away from impactful quantum computing. In the beginning, sure, only a handful of quantum computers will exist globally. It’s not like your Gmail will be under immediate threat. But here’s the other angle: we protect data today for the future.
If it’s your health records, financial info, or personal identity data—you want it to stay protected for the next 10, 15, maybe even 30 years. And that’s the problem. Once quantum computers arrive, they won’t just weaken current encryption—they’ll render it completely obsolete.
Today, if I have your public key and I try to derive your private key using classical computing, it would take forever. But with quantum computing, I can run parallel operations and derive your private key in a day—or less. Once I have that, I can decrypt, sign, impersonate—essentially nullifying all your current cryptographic protections.
That’s why this isn’t about something being “a little broken”—it becomes completely broken. That’s why we need to act now. We need to introduce countermeasures to guarantee forward secrecy, even if widespread quantum computing is still five or ten years out.
Do you already have a quantum-safe product available?
Yes, we do. It’s called Q-Sphere—our product family focused on data security. Right now, we’re implementing the first three NIST-approved post-quantum cryptography standards. But this isn’t the endgame—new standards will continue to emerge.
That complicates migration because new standards break interoperability between old and new systems. So we also need to introduce hybrid solutions during this transition period. And that’s exactly why we say: you need to start planning now.
What’s the current challenge most companies face in terms of readiness?
Let’s forget about post-quantum for a moment and just look at cryptographic asset management today. That’s another big issue we’re tackling.
Most large organizations don’t have a clear owner of cryptographic assets. You’ll find infrastructure teams, network teams, app teams, security teams, and CISOs—but rarely anyone solely responsible for cryptographic materials or maintaining a cryptographic bill of materials (CBOM). Everyone’s responsible, which often means no one is.
That’s why we say the journey must start with discovery: understand your current cryptographic landscape. Migration won’t be one big upgrade. You won’t call Cisco and have it fixed in a day. It’ll require touching multiple layers of your tech stack—layer by layer, step by step.
You’ll need to monitor progress, assess risks, and possibly validate every stage of the transition. That all falls under cryptographic asset management—something few organizations do effectively today. That’s where we step in.
You mentioned a new partnership—what’s that about?
Yes, today we also launched a partnership with PwC, focusing on cryptographic asset management and post-quantum readiness. It’s about helping enterprises start this journey in a structured, measurable, and future-proof way.
What is Salina, the passwordless MFA?
Yes, that’s a good question. Salina is an advanced multi-factor authentication (MFA) solution—think of it as a “UAE Pass for enterprise.”
Instead of relying on passwords—creating them, updating them, or thinking about how to derive one from your cat’s name—Salina removes that burden entirely. Let’s say you need to log in to your Windows laptop. With Salina, you just pull out your phone and tap “OK”—bam, you’re in. It’s very similar to how UAE Pass works.
We integrate with Windows, Single Sign-On, Active Directory, and the cloud. In the background, passwords still technically exist—we’re updating them automatically according to your organization’s policy for complexity and frequency. If you have a legacy system that still requires entering a password, you can retrieve it in plain text from the app. But in most cases, you just approve the login directly from your device.
What’s the actual innovation in Salina?
Other solutions out there are basically password managers. They store your passwords in a protected database and drop them in when needed. But as we’ve seen, these databases can be compromised, exposing passwords for millions of users.
Salina works differently. We take over your password—but we don’t store it. Your password only exists when needed.
Here’s how: We use advanced technology developed in the UAE within TII (Technology Innovation Institute), specifically from the Cryptographic Research Center. The method is based on multi-party computation—more specifically, an oblivious pseudorandom function.
Is Salina quantum-resistant?
Not yet—and it doesn’t need to be at this stage.
Authentication, by nature, is short-lived. If I authenticate now, there’s no realistic attack vector where someone captures that request and replays it five years later. That said, we do have a quantum-safe roadmap for Salina to future-proof it as the threat landscape evolves.
Where quantum resistance is required right now is in data protection and communication encryption—because bad actors are already harvesting and storing encrypted data today, with the intention of decrypting it later once quantum capabilities become available.
