Infineon’s wholehearted embrace of post-quantum cryptography (PQC) and securing its solutions accordingly comes from its recognition of the threats that could be posed by quantum computing. Robert Bach, Product Marketing for Semiconductors ID Solutions at the company spoke to IoT Insider about its approach to PQC.
The company demonstrated how it is securing its products with the certification of one of its security controllers in January 2025. The solution in question was certified by the German Federal Office for Information Security and signified how it was preparing itself for quantum computers.
Quantum computers have the potential to crack conventional algorithms with their advanced computational capabilities and therefore must be considered in the development of products which have life cycles of 10 years and onwards.
“We’re talking about a device that has restricted resources,” explained Bach, referencing the security controller. “If you have a big computer [or] a big mainframe you can do all kinds of cryptography, you don’t have to reflect ‘is my hardware powerful enough?’
“But if you have a tiny security controller which should not be too expensive, inside of a smart card or an authentication product, you cannot, for example, double the functionality of that chip.”
This meant that the security controller was an especially challenging application to have PQC certified, and it still needed to be secured against classical attacks as well.
“That’s the reason why certification is so important, because with certification … you can have a very good feeling that the implementation has been done in a secure way,” added Bach.
Post-quantum cryptography journey
Infineon began its journey with PQC around a decade ago, when it implemented a PQC algorithm onto a contactless security chip. It won two SESAME Awards for its efforts.
“We intensified our approach to post-quantum cryptography three or four years ago,” explained Bach, “going out, telling everybody in the industry: please start preparing for the quantum computer and for quantum resilience.”
Preparedness across industries varies widely. Governmental institutions have been aware of the subject, Bach noted, but for some people there remain question marks about what quantum computing is and what to prepare for – drawing on an example of a speech that was given to German industry companies at an event last year, Bach said when he asked about who had heard of a quantum computer, around 10% of the audience raised their hands.
“There are industry segments where the awareness level still is very low,” Bach continued.
Companies like Zoom have already integrated PQC, however this has been a relatively simple application where integration is concerned. Applications like national ID cards and security controllers are trickier.
In terms of engaging with these industries that are less prepared and aware, Bach said at Infineon their approach was first to do their own “homework” as a semiconductor company before looking at other companies.
“What we’re saying is we do not know when the quantum computer will really come,” said Bach. “But what we would advise to our customers [is] you can already start now [with] using the hardware and start implementing.”
PQC in digital IDs
From his position, Bach addresses post-quantum cryptography from the perspective of government institutions involved in managing digital identities.
“What becomes very clear at least in a couple of countries [is that] a lot of governmental documents will be migrated soon to post-quantum cryptography. Because here you have the problem … that … once you put it out in the field, it stays in the field for 10 years.”
This time period is even longer for the automotive industry, where a security controller in a vehicle needs to be quantum secure for approximately 15-20 years.
The challenges aren’t technical, said Bach, but are related to application standards, or the lack thereof: “Depending on the industry and the application … you need to have worldwide interoperability, otherwise you cannot travel.”
This means that if one nation, for example France, decides to integrate PQC into its passport and Germany does not recognise this, a traveller wouldn’t be able to cross over the border.
“First there must be an application standard,” Bach stressed. “It is easier in closed systems, for example, for a car manufacturer. A car manufacturer can decide to migrate its cars early to quantum resilience, because they control the system … and they don’t need … interoperability.”
Therefore, implementation of PQC in digital identities is going to take longer because the standards first need to be agreed upon. This was why Infineon “started communicating years ago,” said Bach, and discussions in governments about IDs are ongoing.
“You have two possibilities to mitigate [the effects]. First, you could think of reducing the lifetime of the documents. Instead of 10 years, you give out a passport for five years.
“The second topic, and that’s discussed more and more, is to make the products upgradable in the field.”
When I pointed out that some people may not be enamoured with having their passports issued every five years, instead of 10, Bach agreed; making the suggested upgradable route more attractive.
What does this look like?
“If you don’t have an application standard, then your product, your ID card, has to fulfil the old application standard, otherwise you wouldn’t be interoperable. Once a new standard comes in you have a possibility to upgrade via software products [in] the field.”
Whether this is a digital identity, an IoT product or a vehicle, it means all of these solutions would be quantum secure and interoperable. These discussions around mitigations are ongoing, and no government has decided on what to do yet.
Future PQC roadmap
The certified security controller represents the first step for Infineon, who have plans to upgrade around 80% of its security controller portfolio to PQC, as well as integration into its standard microcontrollers and automotive controllers.
“Post-quantum cryptography is not really rocket science, [but] quantum computers might be,” said Bach. “Quantum computers are complex …. Using post-quantum cryptography will get easier and easier, especially if you have all the products available.
“But we expect long transition periods because it is complex to upgrade the whole system to a new kind of cryptography. And this is valid for all kinds of industries.”
Interestingly, Infineon is involved in working on components for quantum computers. In September 2024, it was awarded a contract along with Oxford Ionics to build a mobile quantum computer.
However, this shows that quantum computing as a technology isn’t mutually exclusive: it doesn’t only have to be viewed through the lens of security risks and therefore must be feared. It can also be leveraged as an invaluable tool for solving advanced computations and benefiting a wide array of industries.
“On one hand, we’re fighting against quantum computers. On the other hand, it’s not just necessary to concentrate on the bad things you can do with it. You can do a lot of good … with a quantum computer,” Bach concluded.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.
