As quantum computing advances, organisations can no longer treat hardware migration as a secondary task. Thalia Laing, Principal Cryptographer at HP Security Lab, explains how HP adopted a hardware-first approach to post-quantum security by launching the world’s first quantum-safe Secure Boot for business PCs ahead of NIST standards. She describes how HP integrated hybrid RSA + LMS signatures to preserve certification assurance and user performance while adding quantum-safe protection at power-on. Thalia outlines the operational design behind LMS state management, parameter selection, and cross-team testing to ensure verification speed and long-term reliability. She details why many enterprises overlook hardware-implemented cryptography in their inventories and how this blind spot undermines migration plans. She highlights how securing firmware integrity extends device lifespan and builds measurable confidence across product lines. The discussion reinforces that protecting the hardware root of trust is the first step toward true post-quantum resilience.

Thalia Laing is the Principal Cryptographer and Security Researcher at HP Security Lab, where she leads research and implementation initiatives in post-quantum cryptography, hardware-based security, and trusted computing. She has played a key role in HP’s development of quantum-safe Secure Boot for business PCs and printers, integrating hybrid RSA + LMS architectures that strengthen firmware integrity and protect devices throughout their lifecycle. Over nearly eight years at HP, she has contributed to advancing cryptographic standards, security innovation, and enterprise readiness for the quantum era.

Thalia holds a PhD in Cyber Security from Royal Holloway, University of London, where her research on enhanced threshold schemes explored the balance between security and efficiency in distributed cryptographic systems. A member of the NIST NCCoE Migration to PQC Project, she continues to collaborate across industry and academia to accelerate the adoption of quantum-resistant security technologies. Known for her rigour and clarity in applying cryptography to real-world engineering, Thalia focuses on designing security foundations that endure across generations of hardware and emerging post-quantum standards.

Quantum resilience begins where trust begins, which is in hardware. Thalia explains why HP started its post-quantum journey by redesigning the Secure Boot process, the first code executed when a device powers on. This verification chain is baked into silicon and cannot be patched in the field, making it the single most critical layer to protect against future quantum attacks. By introducing quantum-safe verification at this immutable level, HP ensured that even if traditional cryptography were compromised, the foundation of every PC would remain secure. The result is a hardware-anchored assurance model that outlasts software cycles and supports long-term device integrity.

Key Question: Which hardware-anchored components in your systems would compromise everything if their signatures failed?

Migration to post-quantum cryptography doesn’t mean abandoning what already works. HP adopted a hybrid RSA + LMS model to secure its business PCs, combining the certification maturity of RSA with the forward security of LMS. Both signatures must verify before a device will boot, and a nested design ensures consistency: the firmware is first signed with LMS, then the firmware and LMS signature are signed again with RSA. This dual chain preserves compatibility for existing customers while introducing quantum-safe protection seamlessly. It also satisfies regional and industry assurance requirements, an essential bridge between today’s standards and tomorrow’s mandates.

Key Question: Where could a hybrid model strengthen your cryptographic assurance without disrupting certification or performance?

LMS is powerful but operationally demanding. Thalia outlines how HP engineered its signing infrastructure to prevent state reuse, manage signature limits, and tune the Winternitz parameter, a key setting that trades verification speed for computational effort. Because firmware signing happens predictably and infrequently, HP could model the entire lifecycle of each key, ensuring that verification remains fast and the state never exhausts. Extensive cross-testing between the signing infrastructure and endpoint firmware teams helped find the optimal balance between performance and endurance. The result is a proven framework for implementing post-quantum signatures in live production environments.

Key Question: Have you built the operational discipline to manage state, limits, and parameters before scaling PQC deployments?

Visibility drives every successful migration, yet most crypto inventories overlook what’s embedded in hardware. Thalia emphasises that many scanning tools capture software libraries and network protocols but miss firmware-level cryptography entirely. Secure Boot keys, embedded verification logic, and hardware root certificates often sit outside conventional monitoring systems. HP encourages organisations to supplement automated scans with manual verification and vendor collaboration to document these hidden elements. Only by mapping cryptography end-to-end, from cloud to chip, can enterprises manage risk and sequence migration effectively.

Key Question: Does your cryptographic inventory capture the unseen hardware roots that define your trust boundary?

Quantum safety is only part of the equation, physical resilience completes it. Thalia explains how HP integrates side-channel and fault-injection protections into hardware designs, preventing attackers from bypassing verification steps or manipulating power and timing behaviour. Since such defences cannot be retrofitted after deployment, they must be planned at the design phase alongside cryptographic migration. The goal is not just mathematical security but operational assurance, devices that remain trustworthy even under physical access or lab-level attack.

Key Question: How aligned are your hardware-level countermeasures with the cryptographic strength you rely on?

Every device has a lifespan; cryptography often does not. HP’s migration strategy focuses on hardware that will remain in service for years, business PCs, printers, and embedded peripherals. By upgrading these devices first, HP reduces exposure to the “harvest now, decrypt later” threat and avoids expensive retrofits when new standards become mandatory. Thalia calls this “future-proofing at the factory”: designing security that endures as algorithms evolve and threats mature. Prioritising longevity over convenience transforms security investment into measurable business value.

Key Question: Which products in your portfolio will still be operational when quantum attacks become real, and are they ready today?

Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.


Need help subscribing? Click here for step-by-step instructions.