The ETSI Quantum-Safe Cryptography (QSC) working group is pleased to announce the release of Technical Report TR 103 619 defining migration strategies and recommendations for Quantum-Safe schemes, and enhancing cryptography awareness across all business sectors.
The threat of quantum computing to asymmetric cryptography has been extensively reported in ETSI’s work and elsewhere, and has been recognised as an existential threat to the many business sectors that rely on asymmetric cryptography for their day-to-day existence. However, recognising the threat is not sufficient, nor is knowing that a quantum-safe cryptographic algorithm exists to enable encrypted assets in a business to be protected.
Increasing cryptography awareness
The entire business must now be ready to migrate to a new Fully Quantum-Safe Cryptographic State (FQSCS). In anticipation of this, ETSI has developed a new technical report defining a framework of actions that an organisation should take to enable migration to a Fully Quantum-Safe Cryptographic State.
What we lay out in the migration Report is getting the role of cryptography and the depth of its integration"
“What we lay out in the migration Report is getting the role of cryptography and the depth of its integration in a business better understood. We need to increase cryptography awareness so that people send out encrypted data keeping in mind that it may be commercially sensitive years later when attacks are possible. This helps counter harvesting attacks,” says Scott Cadzow, the Rapporteur of the Technical Report in the ETSI QSC group.
Focussing on cryptographic properties
The migration framework, and the migration plan that documents it, comprises the following three stages:
- Inventory compilation.
- Preparation of the migration plan.
- Migration execution.
The first stage makes the simple point that migration cannot be planned without knowledge of the assets in the organisation that will be impacted by a quantum computer. This stage outlines that compiling the inventory is a business process that will require a dedicated manager and a budget assigned to its development and maintenance, recognising that this may be an extension of existing inventory management with a particular focus on cryptographic properties.
Existing working deployment
It has been documented that during migration planning some assets may be substantially redesigned
Stage 2 involves detailed planning, and is again treated as a business process. The broad assumption is that migration will be on a like-for-like basis, that an asymmetric cryptographically protected asset will be protected in the same manner after migration, and that symmetric cryptographically protected assets will likewise also be protected in the same manner after migration.
However, it has been documented that during migration planning some assets may be substantially redesigned and perhaps even retired. One aspect stressed in stage 2 is that both migration and initial deployment designs will achieve the same end point but migration differs only insofar as there is an existing working deployment to support business functions sensitive to disruption.
The role of stage 2 is to ensure that the entire business is aware of the migration and that its importance is recognised. The final stage 3 is the turnkey element of the migration itself. The ETSI Report offers a series of checklists to address the management and planning of migration in some detail.