European standards group ETSI has released a quantum-safe report on how to protect organisations from quantum computers that can crack existing encryption systems.
Post-quantum encryption technology is being standardised, but organisations need to be aware of the risks to existing cryptography as quantum computing becomes mainstream.
The Technical Report TR 103 619 defining migration strategies and recommendations for Quantum-Safe schemes, and enhancing cryptography awareness across all business sectors
ETSI has highlighted the threat of quantum computing to existing asymmetric cryptography. However, recognizing the threat is not sufficient, nor is knowing that a quantum-safe cryptographic algorithm exists to enable encrypted assets in a business to be protected. The entire business must now be ready to migrate to a new Fully Quantum-Safe Cryptographic State (FQSCS). In anticipation of this, the technical report defines a framework of actions that an organization should take to enable migration to a Fully Quantum-Safe Cryptographic State.
“What we lay out in the migration Report is getting the role of cryptography and the depth of its integration in a business better understood. We need to increase cryptography awareness so that people send out encrypted data keeping in mind that it may be commercially sensitive years later when attacks are possible. This helps counter harvesting attacks,” said Scott Cadzow, the Rapporteur of the Technical Report in the ETSI QSC group.
The quantum-safe migration framework is in three parts.
The first stage makes the simple point that migration cannot be planned without knowledge of the assets in the organization that will be impacted by a quantum computer. This stage outlines that compiling the inventory is a business process that will require a dedicated manager and a budget assigned to its development and maintenance, recognizing that this may be an extension of existing inventory management with a particular focus on cryptographic properties.
Stage two involves detailed planning, and is again treated as a business process. The broad assumption is that migration will be on a