Guides
Quantum Security from IoT to Cloud: A Guide to Eclipse ThreadX-Q
The quantum threat is a present-tense risk
The asymmetric cryptography that underpins secure communications was never engineered to resist a cryptographically relevant quantum computer. As progress in quantum computing accelerates, the public-key algorithms protecting data exchanged between connected devices and cloud services move steadily closer to obsolescence. The exposure is immediate rather than distant: encrypted traffic intercepted and stored today can be retained until quantum hardware is capable of decrypting it, an approach commonly described as ‘harvest now, decrypt later’.
The scale of the problem is considerable. With more than 11 million new IoT devices connecting every day, and a growing proportion performing mission-critical functions, the volume of sensitive data travelling between device and cloud continues to rise. For any organisation operating a sizeable connected estate, securing that data against future quantum decryption is now a board-level resilience question, not a theoretical one.
This guide from Quantropi examines how Eclipse ThreadX-Q provides quantum-secure protection across the full path from device to cloud, working with existing network infrastructure and without the wholesale re-engineering that many security upgrades demand.
What is Eclipse ThreadX-Q?
Eclipse ThreadX-Q is Quantropi’s quantum-secure extension of the Eclipse ThreadX NetX Duo networking stack. Available across all major MCU chipsets, it integrates Quantropi’s QiSpace platform directly into the embedded networking layer, delivering three capabilities that classical security stacks cannot:
- Asymmetric (public-key) cryptography resistant to quantum attack
- Symmetric encryption with extended key strength
- Genuine quantum entropy for key generation
ThreadX-Q is designed to preserve the reliability, flexibility and performance that engineering teams already expect from Eclipse ThreadX NetX Duo. Any application running on that stack can be configured to use ThreadX-Q, providing a route to quantum security that builds on the infrastructure already in place.
The TrUE framework: Trust, Uncertainty and Entropy
Quantropi structures its approach around three principles it terms ‘TrUE’. Each maps to a component of the QiSpace SDK:
- Trust is delivered through MASQ, a set of crypto-agile algorithms for key exchange and digital signature. MASQ supports NIST post-quantum cryptography standards, hybrid configurations and Quantropi’s own algorithms, allowing organisations to adopt standards-based PQC while retaining flexibility.
- Uncertainty is provided by QEEP, a symmetric encryption algorithm. QEEP can be deployed alongside AES in an AES-QEEP, FIPS-compliant double-wrapping arrangement, giving defence in depth for the most sensitive workloads.
- Entropy comes from SEQUR, which supplies quantum entropy for the generation of quantum-random and quantum-enhanced pseudorandom keys. Weak randomness is a frequently overlooked source of cryptographic failure, and SEQUR addresses it at source.
Inside the QiSpace SDK
The technical substance of the guide lies in its breakdown of the three QiSpace components.
MASQ incorporates Quantropi’s novel HPPK-KEM and HPPK-DS algorithms, designed for environments with resource constraints or demanding performance requirements. The figures are notable for embedded use:
- HPPK-DS produces digital signatures of just 160 bytes, with strong performance on both signing and verification. It has been submitted to NIST for standardisation under the recent call for digital signature proposals.
- HPPK-KEM offers small public and secret key sizes alongside fast key generation, encryption and decryption.
The guide benchmarks these against established candidates such as Dilithium5, Falcon1024, Kyber1024 and Classic McEliece, illustrating where the smaller footprint and lower computational cost are most valuable.
QEEP is Quantropi’s symmetric algorithm, supporting key lengths up to 32,768 bits. Its performance characteristics suit constrained hardware:
- Up to 18 times faster than software AES-256, and up to twice as fast as hardware-accelerated AES-NI
- A code footprint as small as 2.4KB, engineered specifically for environments such as IoT
- FIPS-compliant operation when paired with AES
SEQUR delivers the entropy services. It can source quantum entropy from Quantropi-hosted QRNG devices or support customer-controlled entropy sources. SEQUR NGen provides a PRNG supporting up to 100KB of entropy, and QiSpace entropy passes the recognised statistical test suites, including NIST STS, ENT and DIEHARDER.
Extending quantum security to the cloud
Securing the device is only half of the path. To provide a quantum-secure endpoint in the cloud, Quantropi offers HAProxy-Q, a QiSpace-powered implementation of HAProxy built with the QiSpace SDK. Running as a virtual machine, HAProxy-Q bridges quantum-secure communications between IoT devices and public cloud IoT services. It also draws on SEQUR to feed strong quantum entropy into the virtual machine’s entropy pool, strengthening key generation at the cloud boundary.
Together with QiSpace TLS-Q and pre-built integrations for X-Cube-Azure and X-Cube-AWS, this allows quantum-secure channels to be established end to end, from the embedded device through to the cloud services it depends on.
Why this matters for IT and security leaders
For senior technology and security leaders, the practical value of this guide lies in three areas:
- Migration without disruption. ThreadX-Q works with existing network infrastructure and the familiar Eclipse ThreadX stack, reducing the cost and risk of a security transition.
- Standards alignment. Support for NIST PQC and FIPS-compliant configurations helps organisations align with emerging regulatory and procurement expectations around post-quantum readiness.
- Defence in depth. Crypto-agility, hybrid algorithms and AES-QEEP double-wrapping allow security teams to layer protection rather than depend on a single algorithm.
Quantum readiness is increasingly a question of when, not whether. Building it into connected device estates now is considerably less costly than retrofitting protection once classical cryptography has been compromised.
Download the full guide
The complete Quantropi guide sets out the architecture, algorithm benchmarks and deployment model in detail. Download your copy to understand how quantum-secure communications can be established across your IoT to cloud estate.