AWS re:Inforce 2025: Quantum won’t kill your crypto. An old smart TV might

The story of quantum computing usually unfolds in labs, white papers and the occasional Netflix thriller. But in a bland conference room at the AWS re:Inforce 2025 security conference in Philadelphia this week, it took on a far more domestic feel.

“You’ll plug a smart TV into a set top box with a connection, and you bought it from someone that sold you something 11 years later and it hasn’t had a software update in eight,” AWS lead cryptographer Matt Campagna told Gadget in an exclusive interview.

That old device in your living room might be the weak link in the future of cryptography.

Campagna wasn’t being alarmist. He was laying out the real and immediate challenges of building post-quantum cryptography (PQC) that both protects systems in theory, and holds up in the patchy, out-of-date reality of global infrastructure.

“We think a lot about these long-life devices,” he said. “Things that will be in the field for 10-15 years with no patch path. If they don’t get updated, they will never get PQC.”

One report claims a quantum computer from China was 10-million times faster than the fastest conventional supercomputer for certain calculations. That makes it simple matter to break encryption or cryptography that was previously considered unbreakable.

While quantum decryption is still years away, adversaries are already recording encrypted data, intending to decrypt it once quantum is ready. That means the vulnerability window is already open.

“That is by far the biggest, I think, most vulnerable aspect,” said Campagna.

The warning comes from someone who has earned the right to issue it. Campagna heads cryptographic standards for AWS and has led efforts to transition its infrastructure to PQC well ahead of formal mandates. He has been tracking quantum computing for 25 years, since the University of Waterloo in Ontario, Canada, started the first Institute for Quantum Computing and formalised the field.

But his biggest fight, it turns out, isn’t quantum. It’s human.

“We’ve done a huge amount of work internally just to try and make sure our own software is not going off and using a crypto library that’s not being maintained,” he said.

That may be the most candid truth of this interview: cryptography fails not because the maths is weak, but because developers use bad code.

“We do code reviews. We have a team that writes crypto code full-time and tests it and validates it. And if you’re not using that, you’re doing something wrong.”

It is partly about security hygiene, but mainly about readiness. While a full-blown quantum attack on public key infrastructure, which uses digital IDs for online trust and security, may still be a few years off, preparing the systems is not optional.

“It’s a foregone conclusion,” Campagna said. “National security systems will move to PQ as a requirement over the next five years.”

Already, agencies in the US, Canada and the UK are deploying PQC standards, spurred by mandates like the US National Security Memorandum 10, which President Biden issued in 2022 to prmote US leadership in quantum, and mitigate its risks.

Campagna is careful to separate compliance from security.

“There’s a difference between deploying PQC and being PQC secure. It takes time for an organisation to build all the right pieces. But every step matters.”

For AWS, those steps include hybrid key establishment, which pairs classical and “quantum-safe” algorithms, so that connections remain secure even if one is compromised in the future.

Meanwhile, the threat landscape keeps evolving. Machine learning is already part of the cryptanalyst’s toolbox.

“We’ve been using machine learning inside AWS for a while now on things like signature fuzzing and identifying vulnerabilities. It’s not generating cryptographic algorithms, but it helps test them.”

That’s a long way from the AI-as-evil-genius narrative often attached to quantum. In Campagna’s world, AI is a microscope, not a hammer.

“We really are in our infancy in understanding the other business applications. I think material science and pharmaceutical breakthroughs are nearer term than cryptanalysis. Most people don’t realise how hard it is to write good quantum algorithms.”

“Security doesn’t end with crypto,” he said. “It starts with how you build, maintain and update the systems that use it.”

* Arthur Goldstuck is CEO of World Wide Worx, editor-in-chief of Gadget.co.za, and author of The Hitchhiker’s Guide to AI.