Why entropy, identity, and execution—not just algorithms—will define the next era of cybersecurity
Adversaries don’t need quantum computers today to pose a risk. They’re already collecting encrypted data—everything from:
- TLS and VPN traffic
- Satellite communications
- Mission system telemetry
- PKI-protected identities
Why Waiting Isn’t an Option
The Industry Misconception: Algorithms Alone Solve the Problem
- ML-KEM (for key exchange)
- ML-DSA (for digital signatures)
- Entropy (Randomness): If your cryptographic keys are generated using predictable or pseudo-random methods, the entire system is compromised—regardless of algorithm strength. Reality check: “Pseudo-random” means fake randomness. And quantum adversaries can exploit that.
- Identity: PKI certificates and device identity underpin zero trust architectures. If those identities can be spoofed or forged, authentication collapses—no matter how strong your encryption is.
- Execution: If cryptographic operations occur in exposed memory or OS-level processes, a compromised system means compromised keys.
What Actually Fixes the Problem: Hardware-Anchored Trust
- Quantum-based entropy (true randomness derived from physics)
- Verifiable device identity
- Secure execution within trusted hardware environments
Why This Matters
- Keys are never exposed to the operating system
- Cryptographic operations occur in isolated processor environments
- Execution is remotely attestable—proving not just what ran, but where it ran
What That Looks Like:
- Layering quantum-secure VPNs on top of existing VPNs
- Wrapping SSL/TLS with quantum-resistant encryption
- Supporting hybrid cryptography (classical + PQC)
- Phased deployment aligned with ATO and compliance processes
- Where does PQC fit into our architecture?
- Which systems store long-lived sensitive data?
- How does this impact zero trust and PKI?
- What can we deploy today without breaking operations?
The BLUF
If your data needs to survive the next decade, you can’t afford to think of quantum as a distant concern.
- Post-quantum risk is immediate—not future-dated
- Algorithms alone won’t solve entropy, identity, or execution vulnerabilities
- Hardware-anchored security is essential for true zero trust
- Migration must be incremental, hybrid, and operationally realistic
ATPGov is actively working with federal agencies and mission partners to implement:
- Post-quantum cryptography strategies
- Hardware-anchored zero trust architectures
- PKI modernization programs
- Phased, compliant migration plans
Synopsis
We summarize a briefing from an HPE Partner Day featuring EigenQ on post-quantum cryptography (PQC). It argues the quantum threat is immediate due to “harvest now, decrypt later” and rapid advances that could soon break today’s encryption, making long-lived government data vulnerable. The episode stresses that software-only PQC and algorithms alone are insufficient because key risks persist in entropy (weak randomness), identity (spoofable roots of trust), and execution (keys exposed in compromised hosts). EigenQ’s approach centers on “entropy, identity, execution,” using quantum-generated entropy and running PQC inside trusted execution environments with remote attestation so keys aren’t exposed to the OS. It emphasizes incremental, no “rip-and-replace” deployment via overlays (e.g., quantum-proof VPN/SSL), hybrid cryptography, and phased migration aligned to federal realities, with ATPGov positioned to help implement these solutions.
- 00:00 Introduction
- 00:38 Quantum Threat Is Now!
- 01:54 Harvest Now Decrypt Later
- 03:19 Why Algorithms Aren’t Enough
- 04:26 Entropy Identity Execution
- 06:13 Trusted Execution Advantage
- 06:57 No Rip and Replace Deployment
- 07:39 Phased Federal Migration Model
- 08:21 Hard Questions to Ask
- 09:10 Bottom Line and Next Steps
This episode is brought to you by ATP Gov. Visit us online at www.atpgov.com or follow us on LinkedIn.
Transcript
[00:00:00] Host: Welcome to The Bottom Line Up Front, the podcast that cuts through the noise to deliver distilled insights from today’s most important technical webinars, presentations, and demonstrations. Designed for federal and military IT leaders, each episode breaks down complex technologies into mission-ready takeaways so you get the key points fast.
Whether it’s cybersecurity, cloud architecture, or emerging defense technologies, we highlight what matters most and how trusted integrators like ATPGov can help implement and operationalize these solutions across your agency or command. No fluff, no filler, just the bottom line up front. If your data needs to stay secret for 10 years, it’s probably already at risk today.
That was the mantra at a recent HPE Partner Day featuring post-quantum cryptography, or PQC, vendor EigenQ. And in this episode, we’re going to keep the buzzwords at bay and talk about why software-only post-quantum crypto misses the real risk, why entropy, [00:01:00] device identity, and execution security are the actual problem, and what it means for agencies that can’t rip and replace their infrastructures.
Why quantum is a now problem.
[00:01:09] Prof. Jesse Van Griensven, PhD: So the government got intelligence information that they will be able to develop a quantum computer that will break the encryption. And you say, “So what?” Breaking one encryption here and there will happen soon, not later, soon, in a matter of 12 to 24 months. But because quantum computers are growing a trillion times faster, three or four years, an adversary nation can do a quantum attack in the United States, shutting down all the airports, all the hospitals, all the power plants, communications, in minutes, driving the United States to the Stone Age without firing a single bullet.
This is the situation we have today.
[00:01:54] Host: Let’s start with the phrase you’ve probably heard many times by now, harvest now, decrypt later. [00:02:00] Adversaries are already collecting encrypted traffic today, that being TLS, VPN, satellite links, and mission systems. They don’t need to decrypt it now, they just need to store it, and the moment a sufficiently powerful quantum computer comes online, or even a breakthrough algorithm hits, long-lived encrypted data becomes readable overnight.
That includes military communications, intelligence reporting, PKI-protected identities, OT, ICS, and satellite telemetry, and anything with a life cycle longer than 10 years.
[00:02:29] Prof. Jesse Van Griensven, PhD: Google, for example, with all their technological expertise, were bragging about reducing the algorithm from 20 million qubits to a million qubits.
So everybody was very impressed ’cause it’s 20 times. So I said, “No, I can do much better than that.” Just as an example to tell them that the Chinese must have done this. Because I did that and it wasn’t hard. I reduced it not by 20 times like Google did, and a lot of other companies. I reduced it by [00:03:00] 20,000 times the number of qubits that you need.
[00:03:03] Host: And with that said, what came through loud and clear in the briefing was waiting until quantum computers are here is too late. Migration timelines are longer than the threat timeline, and that’s why federal mandates now focus on near term migration and not future planning.
[00:03:19] Prof. Jesse Van Griensven, PhD: But encryption is not enough.
It does quantum prove encryption. Why it is not enough? You encrypt and it’s perfect. Let’s say your laptop has this unbreakable encryption, but your password or your server exposed to the public is one, two, three. Who will not break one, two, three? So yet people are using their servers and generating the key in their own computers, which is called pseudo random.
You need to have completely random. Pseudo means fake, so it’s fake random, and then a quantum computer can break that.
[00:03:54] Host: Moreover, we need to understand that software only PQC is insufficient. Most [00:04:00] conversations about PQC today stop at the algorithms themselves. You’ve heard names like MLKLM for key exchange and MLDSA for digital signatures, and these are NIST selected quantum resistant algorithms, which are necessary, but they’re not necessarily sufficient.
Post quantum algorithms don’t fix weak entropy, compromise firmware, or expose execution environments. And three problems remain even after, quote unquote, “upgrading your crypto”. The first being entropy. If cryptographic keys are generated from predictable or software based randomness, quantum safe math doesn’t matter.
Entropy quality becomes a compliance metric and not an implementation detail. Secondly, identity, that being PKI certificates and device identity are foundational to zero trust authentication, secure boot, and remote attestation. If those roots of trust can be spoofed or forged, then identities collapse no matter how good your algorithm is.
And thirdly, execution. If private keys and cryptographic operations live in memory or OS level [00:05:00] processes, a compromised host means compromised crypto, and software isolation at that point is not enough. And this is where hardware anchored execution becomes the main differentiator. There
[00:05:10] Prof. Jesse Van Griensven, PhD: is a hardware component.
We have that in the cloud as well. That’s how the IoT is then. We do certain things that are not using encryption, but it needs the keys Everything I’m discussing with you tested, certified by NIST, and operational. That’s not a research project
[00:05:26] Host: And in this case, EigenQ’s core architectural idea can be summed up in one phrase: entropy identity execution.
This creates a continuous chain of trust from power on to runtime because EigenQ leverages quantum entropy as their foundation. It’s physics-based randomness from quantum processes with no reliance on pseudo-random algorithms, and its provable key material is stronger. And you might be asking yourself, “So why does that matter?”
Because weak entropy silently undermines every downstream control and affects TPM-backed based device identities, secure boot [00:06:00] verification, and continuous measurement and attestation. And this ties zero trust decisions to actual device states and not software-based assumptions. And we all know by now that zero trust only works if device trust can be measured and proven.
[00:06:13] Prof. Jesse Van Griensven, PhD: But with trusted execution environment, when you’re doing this encryption, it is executed in an area of the processor that nobody’s using. But let’s say somebody’s attacking you and they want to see how you are processing such that they can interfere with the security, we are on the trusted execution environment.
They can’t do anything.
[00:06:33] Host: And EigenQ’s post-quantum cryptography runs entirely inside of trusted execution environments. The private keys are never exposed to the host operating system, and cryptographic operations are remotely attestable. Even if the OS is compromised, the keys remain protected. And it’s also important to remember that software-based cryptography can’t prove where it ran, whereas EigenQ’s hardware-anchored execution can.
[00:06:57] Prof. Jesse Van Griensven, PhD: Or how do we… Do we have to yank out [00:07:00] all that you have and then put the EigenQ? That’s nuts because that will take 10 years to do that. No, the, the most difficult thing to do is to change somebody’s mind. And how do we do that? You’re not removing anything. We’re gonna go and put an envelope on top of everything.
And, oh, I’m used to operate using my VPN. Yes, okay. We put a quantum VPN proof on top of the VPN. Or use SSL. That’s okay. We have a quantum proof SSL that goes as an envelope, so it’s very quick adoption
[00:07:35] Host: Overall, EigenQ’s strategy means no rip and replace. And one thing that came through clearly in the briefing, especially for those of us with federal programs, is that PQC has to deploy inside of existing system boundaries.
With EigenQ’s integration strategy, no agency is replacing entire PKI stacks, server fleets, or mission systems at the tactical edge. Because of their hardware architecture, they are able to emphasize [00:08:00] hybrid cryptography using both classical and PQC, phase migrations, and retrofit capabilities. Each phase in this model delivers independent risk reduction, including secure boot baselines, hybrid PQC services, and fleet-wide adoption.
This overall idea elegantly fits into how federal programs actually modernize and how ATOs actually work. But it’s also not that easy. You have to ask yourself the hard questions before implementing any PQC strategy. Where does the PQC actually belong in your architecture? What systems have long-lived data exposure?
How does this impact zero trust, PKI, ATOs, and compliance evidence? What can be deployed now without breaking the mission systems? Using EigenQ as part of your PQC deployment means solutions aren’t just installed, they’re integrated, and they’re integrated into existing HPE, Dell, and mixed server environments, into existing PKI and identity workflows, into fielded and disconnected edge systems, and it provides hardware-anchored [00:09:00] security, along with federal infrastructure realities and zero trust and cryptography modernization programs.
Though that list might sound like a bunch of buzzwords, it’s really about deployable trust. So what’s the bottom line up front? Post-quantum risk is immediate, not future-dated. Algorithms alone do not solve entropy, identity, or execution risk. Hardware-anchored trust enables zero trust that actually works.
And migration must be incremental, attestable, and federally realistic. And EigenQ’s hardware-based solution helps agencies implement PQC as infrastructure and not a theory. So if your data needs to stay protected beyond the next refresh cycle, remember that the clock is already ticking. So if you wanna go deeper on PQC, hardware-anchored zero trust, PKI modernization, or phased migration strategies for federal systems, know that ATPGov is actively working with agencies and mission partners on solutions right now.
Be sure to reach out to ATPGov today at www.atpgov.com or email [00:10:00] info@atpgov.com or check us out on social media on LinkedIn. Thanks for listening, and be sure to subscribe to the Bottom Line Up Front wherever you get your podcasts, and stay tuned for more distilled insights from the front lines of tech and national security.
So until next time, stay secure, stay mission
ready.
About this Podcast
The Bottom Line Up Front, is ATP Gov’s podcast that cuts through the noise to deliver distilled insights from today’s most important technical webinars, presentations and demonstrations designed for federal and military IT leaders. Each episode breaks down complex technologies into mission ready takeaways, so you get the key points.
Fast.
Whether it’s cybersecurity, cloud, architecture, or emerging defense technologies, we highlight what matters most and how trusted integrators like ATP Gov can help implement and operationalize these solutions across your agency or command.
No fluff. No filler, just the bottom line up front.