Cybersecurity for Banks in the Quantum Era 2024 PDF
Document Details
Uploaded by Deleted User
2024
Alissa Pandikow,Sebastian Tufvesson
Tags
Summary
This document analyzes the challenges of cybersecurity in the banking sector due to the advancement of quantum computing. It explores the potential risks to sensitive customer data and financial transactions. The paper considers potential solutions, including quantum-safe cryptography and quantum key distribution, and emphasizes the importance of crypto-agile systems.
Full Transcript
Länsförsäkringar AB 2024 CYBERSECURITY FOR BANKS IN THE QUANTUM ERA ALISSA PANDIKOW SEBASTIAN TUFVESSON Executive Summary As quantum computing continues to develop, the banking sector will face challenges in keeping its systems secure. Quantum computing has th...
Länsförsäkringar AB 2024 CYBERSECURITY FOR BANKS IN THE QUANTUM ERA ALISSA PANDIKOW SEBASTIAN TUFVESSON Executive Summary As quantum computing continues to develop, the banking sector will face challenges in keeping its systems secure. Quantum computing has the potential to revolutionize the cybersecurity landscape and affect various industries, including banking, by solving complex problems beyond the capabilities of classical computers. Currently, banks rely on algorithms such as RSA and AES, which are vulnerable to quantum-based attacks using algorithms like Shor’s and Grover’s. The potential risks of quantum computing to the banking sector include the compromise of sensitive customer data, financial transactions, and the integrity of the banking system as a whole. Regulations, such as GDPR and DORA, further underscore the necessity for robust cybersecurity measures, including quantum-safe solutions. All over the world, researchers and companies strive to find suitable replacements for broken cryptographic schemes. Two areas have emerged: quantum key distribution (QKD) and post- quantum cryptography (PQC). QKD uses quantum communication, a new form of digital communication that allows for secure communication even against adversaries equipped with quantum technology. For it to be practically available, serious hardware improvements must be made, as the communication range is limited. Instead, PQC aims to develop cryptographic algorithms that could replace the ones broken by quantum computers. With the National Institute of Standards and Technology (NIST) spearheading a competition to find PQC algorithms, some solutions have been found. It is now up to businesses to employ these solutions, adjusting them where necessary to be compatible with existing systems. Case studies and implementations from early adopters, such as Cloudflare and IBM, and financial entities, like JPMorgan Chase and Santander, are valuable. These demonstrate both practical steps and strategies for adopting quantum-safe measures and the benefits they offer. As can be seen, these organizations emphasize the importance of having crypto-agile systems, where switching between cryptographic primitives is straightforward. This adaptability is cruicial in the context of quantum colmputing. Additionally, testing and validating such solutions for performance and security is important, with necessary adjustments based on these results further underscoring the need for agile systems. Throughout this paper, and especially with how quantum computing has become relevant, collaboration has been one of the foundations of early adoption. In conclusion, the rise of quantum computing poses an urgent threat to banks, demanding immediate attention. By understanding the impact of quantum computing on the cybersecurity landscape, banks can develop a plan for transitioning to post-quantum cryptography (PQC) to protect sensitive data and comply with regulatory standards. This paper aims to assist in ensuring sufficient cybersecurity in the quantum era by covering several important aspects. 2 TABLE OF CONTENTS INTRODUCTION 1 TRANSITIONING TO 5 Current Landscape 1.1 PQC Motivation and Structure 1.2 Preparations 5.1 Considerations when 5.2 Migrating QUANTUM 2 CASE STUDIES 6 COMPUTING Industry Examples 6.1 Technical Overview 2.1 Lessons Learned 6.2 Timeline for Quantum 2.2 Computing Parallel Processing and 2.3 Artificial Intelligence POST-QUANTUM 3 CONCLUSION 7 CRYPTOGRAPHY Summary of Key Findings 7.1 Developing Post-Quantum 3.1 Outlook for the Future 7.2 Cryptography Implementation Challenges 3.2 IMPACT ON BANKS 4 APPENDIX 8 Vulnerabilities, Advanced 4.1 REFERENCES 9 Persistent Threats, and Data Risks Regulatory Implications 4.2 1. Introduction The world is becoming more digital, providing simple, efficient, and accessible solutions to everyday tasks. We share a significant amount of personal information and what we do to take full advantage of these digital applications. Today, banking matters are usually done digitally, with serving being an option rather than the standard. To facilitate this change in behavior, banks have online servers from which customers can access their accounts, which must be secure. Protecting the data becomes increasingly more difficult as technological advancements introduce new risks. One such advancement is quantum computing, an entirely new generation of computational power that could break cryptographic algorithms used to protect said data. To ensure the future of online banking, a new generation of quantum-safe algorithms is required. 1.1 Current Landscape Advancements in technology are frequent today, with notable amounts being invested in research aiming to increase computational power. Commercially available computers can outperform humans in many aspects, such as storing and logging information, data analysis, and mathematical calculations. Still, computational limitations exist, and these limitations can be used when constructing a cybersecurity scheme. One such limitation is the factorization of very large numbers (600 or more digits). Properly chosen numbers have prime factors that are hard to find, making the factorization process infeasible for humans and taking millennia for computers. Consequently, some of the more commonly used cryptographic schemes seeing widespread use are based on this mathematical problem, two examples being the asymmetric cryptographic algorithms RSA and ECC used since the 1980s and early 2000s, respectively. Some of their uses are encryption, key exchange, digital signatures, and digital certificates, which are all fundamentals of cybersecurity. Other fields also need to be secured, including secure communication, ensuring data integrity, and bulk encryption, in which case symmetric cryptographic algorithms can be used. Common alternatives are the Advanced Encryption Standard (AES) family, which replaced the Data Encryption Standard (DES), and ChaCha20, as well as Message Authentication Codes (MACs). AES’s and ChaCha20's mathematical foundation differs from RSA’s and ECC’s but still requires the finding of the key, being a singular key since the schemes are symmetric, used to encrypt the information. MACs often utilize hash functions, which are called HMACs, such as the Secure Hashing Algorithms (SHA) family. These schemes have released improved versions continuously to counter evolving threats while maintaining their mathematical foundation. To maintain confidentiality and integrity, regarding customer information entrusted to banks, secure encryption is vital. Given the alluring nature of the information, financial gain is a common incentive to conduct a cyberattack ; the schemes banks employ prioritize security above all else. As a result, many banks opt for solutions that have proven practically safe rather than state- of-the-art alternatives. While new alternatives may offer improved security, their lack of extensive practical use introduces uncertainty, discouraging banks from early adoption. Letting 4 other entities adopt and test them first and then follow suit if they are secure is a more risk-free way to approach an update. In addition to the banks’ incentives to maintain security, banks are also subject to regulations that ensure they provide sufficient protection. Two such regulations are the Digital Operational Resilience Act (DORA), which acts solely upon European financial companies, and the General Data Protection Regulation (GDPR), which acts on all European entities. DORA’s documentation has been released; however, it will come into effect until January 17, 2025. The act should still be considered a part of the current landscape as banks’ cybersecurity is shaped by it. DORA lists the management body as the responsible actor to oversee that the data the company handles is secure and offers some insight into the financial consequences if the standards are not met. The landscape is currently undergoing changes as to prepare for an upcoming paradigm shift: the introduction of cryptanalytically-relevant quantum computers. This new technology will be able to weaken and break cryptographic functions that are vital for security. Even though they are not yet available, the world should prepare for their arrival. 1.2 Motivation The advent of quantum computing presents both unprecedented opportunities and significant challenges, particularly in the realm of cybersecurity. For banks, which rely heavily on robust cryptographic systems to protect sensitive financial data, the potential for quantum computers to break widely-used cryptographic algorithms such as RSA and ECC necessitates a proactive approach to security. This paper aims to provide comprehensive guidance to banks on migrating to post-quantum cryptographic (PQC) systems, ensuring they remain secure in the face of emerging quantum threats. By understanding the fundamental aspects of quantum computing, including Shor's and Grover's algorithms, banks can better appreciate the urgency of this migration. Additionally, the paper highlights the potential impacts of quantum computing on the banking sector and underscores the importance of adopting PQC algorithms to safeguard against future vulnerabilities. 5 2. Quantum Computing This section aims to provide a general understanding of what quantum computing offers and its possible impacts. An in-depth analysis will not be provided, regarding the technical architecture or algorithms that require quantum computing, but encourages the interested reader to seek out this information, as it is readily available online. The specifications listed here are not absolutes, as future developments will likely invalidate some statements, and the timeline is intended as a guideline as the future timestamps are based on current expectations. 2.1 Technical Overview Quantum computers differ from classical ones on a fundamental level. The classical computers are using bits, a portmanteau for binary digits, which represents logical states in either being a 0 or a 1. The quantum computer equivalent is qubits (quantum bits). A qubit can also represent a logical state, but instead of solely being a fixed 0 or 1 it is all values from 0 to 1 simultaneously. To represent this superposition, qubits are described by wavefunctions, which represent the likelihood of specific outcomes without ever determining an exact one. Should a qubit be measured it becomes either 0 or 1, the wavefunction is said to collapse as the qubit is no longer represented by a range of possible values but instead an exact one. In addition to the superposition characteristic, the qubits can become entangled, a quantum feature where two or more qubits become codependent so that one cannot be measured without affecting the other(s). When qubits are entangled, their individual wavefunctions are no longer measurable, but instead, the entire system is described by a unitary wavefunction. This allows quantum computers to manipulate several qubits when operating on one qubit they are entangled with, and can therefore calculate many problems at the same time. This parallelization is very effective as it uses the wavefunctions’ probability feature to find the solution(s) as fast as possible. A critical issue with quantum computing is error correction, a problem that is rooted in the fact that for an unknown quantum state (i.e. a non-measured qubit) a copy cannot be created. While error correction is a necessity for all types of computers as computations are expected to be accurate, implementing solutions in classical computers is rather straightforward, as bits are easily replaced, in contrast to quantum computers. One proposed solution to this issue is using several qubits to act as or on a single logical qubit that performs the actual task. In both instances, the underlying physical qubits control the logical qubit to minimize the error rate of its decision-making. However, this requires significantly more qubits which can be hard to implement. 2.2 Timeline for Quantum Computers The development of quantum computers is ongoing and shows no signs of slowing down. Over the past few decades the development focused on generating stable quantum systems by 6 increasing the qubit count. In the early 2000's the largest 1988 – First amount of qubits were in the range of single digits. The physical qubit count steadily increased, surpassing 10 in 2006, and realization of a reaching around 50 in the late 2010s. New records were set quantum each year from 2021 to 2023, with qubit counts reaching 66, 2001 – First computer 433, and 1180, respectively [8-10]. The aim of increasing the use of qubit count in a system will continue in, as evidenced by Shor’s several research teams’ road maps for the coming years [11- algorithm 13] 2013 – Mosca’s inequality The qubit count is not the only area of interest; the ongoing 2016 – NIST’s issue of error correction remains significant. Introducing competition 2016 – China announced more qubits to solve this problem is still considered viable, launches but there is an ongoing effort to decrease the amount of satellite for physical qubits needed for a logical qubit. In 2012, it was quantum estimated that each logical qubit would require between 2017 – NIST network 1000 and 10000 physical qubits for a satisfactory error rate receives first. This estimation was reduced in 2019 to 1568 physical submissions 2019 – 20 ones for one logical , and most recently it was reduced to million qubits 30 physical qubits for 4 logical qubits in 2024. Although predicted to 2020 – The it shows improvement, creating such a decrease in qubit break RSA-2048 funding for count is demanding. quantum 2021 – China Another major finding in regards to qubits was Google’s research manages a proof that by scaling a quantum error-correcting code the surges quantum fault rate can be reduced. With this taken into account, network with a target of reaching 1 million in 2029, the implications spanning 2022 – SIKE and of reaching greater qubit counts are significant. 4,600km Rainbow are Improving the relation between physical and logical qubits broken and removing scaling limitations will expedite the process of 2022 – AWS creating a cryptanalytically-relevant quantum computer offers (CRQC). KEMTLS 2024 – NIST will Current estimations suggest that breaking relevant release first cryptographic algorithms will require between 6000 and 2029 – 1 standardizations 23000 logical qubits, depending on the algorithm and its size million qubit. This estimation assumes the attacker uses Shor’s quantum algorithm , a quantum algorithm, which can be used to computer easily solve the large factorizations needed to break RSA and 2030 – CRQCs ECC, given that the quantum computer is sufficiently strong available. Other noteworthy quantum-enabled algorithms are Grover’s and Brassard-Høyer-Tapp’s (BHT’s) algorithms [22- 23]. 7 Shor’s algorithm: Published in 1994. Used for factoring large integers, therefore, breaks public-key cryptography schemes (i.e. RSA and ECC) , possibly in 8 hours. Grover’s algorithm: Published in 1996. It provides a quadratic speedup for unstructured search, which reduces the security of symmetric cryptography, like AES, by half. Brassard-Høyer-Tapp’s (BHT) algorithm: Published in 1997. Derived from Grover’s algorithm, it is more effective at finding hash collisions, which reduces the security of hash- based schemes, such as SHA, by one-sixth of what it is today. Based on this, predictions as to when CRQCs will be available vary. Some experts believe it will be as early as 5 years , while others believe it may take 10 years. Nonetheless, there is a general consensus that quantum computers will be able to decrypt certain algorithms relatively soon. One indicator of the progress of quantum computing is the increased funding. For example, in 2020, the number of deals surged, five times the amount compared to 2019, and almost doubled in 2021. Since then, the total amount has decreased, and 2023 saw similar figures as 2020, but the number of fundings is steadily on the rise. This insinuates that the research will continue as several parties, both nations and private, have the research’s success in their interests. Improvements are not only sought after in qubit counts and error rate, but also in its communication and integration with existing systems. Quantum communication has presented a challenge, as it has proved difficult to maintain the quality of the qubits over longer distances. Messages can either use optical fibers or over open space. Optical fibers are to be preferred as they reduce the risk of quality loss but are demanding resources-wise. A use-case for quantum communications is Quantum Key Distribution (QKD), a quantum-safe way of establishing secure communications. The longest achieved distribution distance to date is 1000 km and can be expanded using repeaters, which act as checkpoints. Such a solution is not fully satisfactory for QKD as the sent information must then be entrusted to the repeater-provider. Another solution is free space satellite communication, which has managed to cover up to 2200 km. For global communications to remain secure, this field will need to see continued improvements. 2.3 Parallel Processing and Artificial Intelligence Effective parallelization is a defining strength of quantum computers but can be performed by classical computers as well. The parallel processing classical computers offer is substantially weaker and cryptanalytically irrelevant, key recovery for RSA via brute force require an impractically long time classically. The continued improvement of classical parallelization is nevertheless relevant as it is necessary for artificial intelligence (AI). Developing a well- functioning AI requires a lot of computational power, with some recent GPU releases being increasingly more tailored for AI development. The range of AI applications is still expanding, but one field is social engineering attacks. These attacks are aimed at people handling the 8 digital equipment rather than the equipment itself, hoping that the person will reveal information the equipment has hidden securely. There are a multitude of ways to conduct a social engineering attack, with two common ones listed below. Spear-fishing: Messages that seem legitimate and relevant to the recipient but possibly contain a malicious link or file that grants the attacker access to the user's system. Blackmail: Using deep fakes, a digitally generated media that is perceived as real, an attacker can threaten the victim with releasing the fake media unless the victim agrees to perform certain favors or share classified information. Quantum computers, with their improved parallelization, are expected to improve AI. This is not all too concerning since the issue with AI- Turing Test based attacks is their ability to mimic a human, i.e., perform well at the Turing test. The Turing test was suggested by Alan Turing, where a human player is tasked to differentiate a communicating human and a communicating machine. Once the machine is capable enough at imitating humans for the decision to become a coin flip, no further improvements can be made to affect the test’s outcome. With the AIs running on classical computers approaching this limitation, any improvements quantum computers offer will not necessarily affect their ability to perform social engineering attacks. In addition to social engineering attacks, AI can conduct cyberattacks that are aware of preventative measures taken and adapt their attack accordingly. These attacks can improve with an AI that approaches the defenses differently to avoid detection. This is not revolutionary, as some of these AI cyberattacks are already quite refined, and enhanced security measures can be put in place to level the playing field once more after AI becomes stronger. This paper will not delve any deeper into what improvements in AI have on cybersecurity, as it is outside the scope of this work. It is a broad field and warrants its own study, where the attacks and the corresponding mitigations are thoroughly examined. Our concise and rather simple recommendation is to employ a better understanding within the company regarding the threat AI poses. If personnel who interact with digital devices remain vigilant and know how to act during an incident most attacks will not be fruitful for the attacker. 9 3. Post-Quantum Cryptography Post-quantum cryptography will help shape the future cybersecurity landscape. PQC is developed to be resilient to attacks enabled by quantum computers, as well as classical computers. This has been a very active field in the last decade, with many new algorithms proposed and existing ones frequently refined. As the list containing all the proposed algorithms is extensive, this paper only covers a few, focusing on the development process at large. The technical aspects of the presented solutions will be omitted from the section to maintain clarity but will be included in Appendix A instead. 3.1 Developing Post-Quantum Cryptography Post-quantum cryptography (PQC) is the term that defines the cryptographic algorithms which are secure even against CRQCs. As the potential threat quantum computers pose increases, the need for PQC becomes more apparent. To find algorithms secure against quantum computers, a competition was initiated by the National Institute of Standards and Technology (NIST) in 2016. In the competition, contestants were encouraged to submit cryptographic schemes which were to be examined with the winner(s) being standardized. Eight years and five iterations later, as of writing this paper, since the competition’s announcement with each iteration consisting of listing remaining candidates, testing them and pruning the list by removing insecure or impractical solutions. During the third iteration, the first group of finalists was selected: ML-KEM (formerly known as CRYSTALS-Kyber), Classic McEliece, NTRU and SABER for Key Encryption Mechanisms (KEMs) and ML-DSA (formerly known as CRYSTALS-Dilithium), FN-DSA (formerly known as FALCON), Rainbow for Digital Signature Authentication (DSA). ML-KEM was selected as the only KEM to be standardized and ML-DSA, FN-DSA, and SLH-DSA (formerly known as SPHINCS+) were selected out of the DSAs. The fourth iteration’s candidates were announced simultaneously, with Classic McEliece, BIKE, HQC, and SIKE being the remaining ones (all KEMs). NTRU and Saber were omitted on the basis that they were founded on similar mathematical principles as ML-KEM but performed worse. Shortly after this announcement, major breaks were found against SIKE and Rainbow, respectively, proving that they could be broken classically, which led to them being removed from the list of remaining candidates [36-37]. As no DSA candidates remained after the third round, NIST issued another competition with the sole interest in DSAs, with the caveat of submissions not being lattice-based. This constriction was introduced as ML-KEM, ML-DSA and FN-DSA are all based on the same mathematical hardness, lattices, meaning if a vulnerability is found no suitable substitutes exist. This secondary competition has recieved its initial submissions who are currently undergoing testing. The fifth iterations conference was held in April 2024 during which there were updates on the candidates as well as the standardization papers on the ones announced during the third conference. These updates included that FN-DSA’s standardization would be postponed due to implementation complexity and that the other standardization papers are intended to be 10 released in late summer or early fall KEMs DSAs 2024. 1 Kyber*, Classical Dilithium*, Falcon*, McEliece, HQC, BIKE, Rainbow, The work that NIST and the SIKE,... SPHINCS+*,... contributors have done and continues to do is unparalleled in the field of post- quantum cryptographic algorithms. As 2 Kyber*, Classical Dilithium*, Falcon*, McEliece, HQC, BIKE, Rainbow, of now it is expected that their findings SIKE,... SPHINCS+*,... and results will be adapted not only in the US, but Europe as well, as EITC NIST’s findings and recommends hybrid 3 Kyber*, Classical Dilithium*, Falcon*, solutions for early adopters in their McEliece, NTRU, SABER, Rainbow, report on PQC. A significant HQC, BIKE, SIKE,... SPHINCS+*,... concern is that in the past NIST have allegedly allowed the National Security Agency (NSA) to push for solutions that 4 ML-KEM, Classical ML-DSA, FN-DSA, benefit them. Such concerns exist McEliece, HQC, BIKE, SLH-DSA regarding the PQC development as well 14SIKE. For several countries in Asia the focus lies elsewhere, taking a different approach than the one led by NIST. China, Israel, Japan and Singapore have expressed an interest in QKD. This interest is shared by the US and EU, with the European Quantum Communication Infrastructure (EuroQCI) working on granting secure quantum communication to its member states. Nevertheless, the development of PQC algorithms have been more prevalent. A shortcoming of QKD is that all nodes (extending repeaters) between the communicating parties process the transmission and must therefore be trusted for the communication to be secure. This is a complication for banks intendning to use QKD they must entrust the vendor supplying the nodes with the data and remain compliant with GDPR’s confidentiality requirements. Both QKD and by extension, quantum communication, and PQC are required for security. They complement one another, QKD ensuring secure sharing of keys and PQC uses said keys to ensure security in some aspect (i.e. communication or storing information). Both will continue to see development as, from a technological viewpoint, they are both new. 11 Post-Quantum Secure Algorithms KEM Algorithm Founding Pros Cons The listed algorithms, both KEMs and DSAs, were submitted to Best performing NIST as participation in the Lattice- and Vulnerable ML-KEM based relatively to SCA standardization initiative. NIST set 5 different security levels, well-tested for a PQC with several of these algorithms Performs Scaling having distinct versions to meet difficulties HQC Code-based well on optimized and some each treshold. This allows for security hardware issues choosing a suitable security level when implementing PQC without McEliece Code-based Small Enormous having to resort to superfluously private key public key complex solutions. Masked Possible BIKE Code-based version decryption available failure DSA KEMs and DSAs are intended to provide the underlying security in Algorithm Founding Pros Cons vital operations such as secure storage of information, channel Lattice- Reliable Difficult to ML-DSA and connections and authentication. based consistent mask A common issue for all provided Lattice- Relativly Difficult to FN-DSA small keys solutions is that they are based and fast implement significantly larger than the classical solutions they are meant States to replace. SLH-DSA Hash- Small keys cannot be reused and based large signature 12 3.2 Implementation Challenges As alluded to in the previous section, some challenges make an immediate transition to PQC difficult. QKD has the issue of hardware requirements, having to entrust information to third- party vendors, whereas PQC’s implementation issues stem from the algorithms themselves. The PQC algorithms have not had the opportunity to prove themself secure in practice. Furthermore, the SIKE and Rainbow breaks in 2022 show that even though the PQC candidates have been tested extensively, they are at an early stage of development, and there could be attack vectors that have been overlooked. With continuous cryptanalysis, these uncertainties will gradually diminish. However, waiting for the field to mature will leave systems vulnerable. To tackle this, an alternative solution has been presented: hybrids. A hybrid solution uses both a quantum-safe algorithm and a classically secure one. If the quantum-safe algorithm is proven to be broken the hybrid solution at least maintains its classical security. It allows systems to take advantage of PQC without compromising on security. A hybrid solution can be simple, the key it uses is created using the key generated by the classical algorithm as well as the key from the quantum-safe algorithm. Similarly, for digital signatures based on hybrid solutions there are two signatures, both a classical and a post-quantum one, with both needing to be verified for authentication. As a result, combining two solutions, a greater key size and signature size is to be expected. These size differences have been an aspect NIST considered when electing which algorithms to elect as candidates for future iterations. While the remaining candidates and those chosen for standardization have reduced their sizes, they still remain significantly larger than the classical keys in use today. This difference is exemplified by comparing a recommended algorithm for key agreement in TLS 1.3 and the suggested one for post-quantum secure TLS. The one currently in use is X25519, a Diffie-Hellman function with its underlying security in ECC, in which the client shares a 32-byte key with the server. The suggested algorithm for post-quantum security is ML- KEM as it is the only KEM to be standardized as of now. The version of ML-KEM that is suggested for use by its developers is ML-KEM-768, which is considerably larger, and the user sends an 1184 bytes-sized key , 37 times larger than X25519. The size is a problem due to the Maximum Segment Size (MSS), which is a hard limit on how much information can be stored in a singular packet sent across a network. The current MSS being 1460 bytes and if a packet exceed this limit it can not be received by other parties. While neither ML-KEM-768's key nor X25519's key are too large when used on their own, the combination of both, along with the handshake which is roughly 200 bytes and a pre-shared key greater than 44 bytes (many being 200-300 bytes), results in a value greater than the allowed limit. A downgrade to ML-KEM-512 reduces the PQC key to 800 bytes, resulting in a total byte value under the limit, at the cost of reduced security. ML-KEM-512 is considered secure, although this has been debated, as some suggest that its security is less than the minimum set by NIST. The significant size difference impacts performance in the broader context of implementing PQC. The complexity of implementing such a scheme remains challenging, even when downgrading performance and security. The introduction of a new mathematical algorithm which to some degree weakens existing or possibly breaks PQC solutions is unlikely, but not impossible. It would require a new mathematical discovery, which is inherently difficult, as the mathematical hardness 13 on which both classical and quantum-safe solutions are based on has been tested for decades, giving ample time to test the theory. Moreover, new attack vectors can be found against the relatively new PQC solutions. Either scenario warrants a cryptographic transition, which questions the effectiveness of an early transition. Given that an early transition is a non- negotiable for banks and the proposed solutions are currently secure, a focus should be on creating systems that allow for easy cryptographic transition, i.e. being crypto-agile. This principle is discussed in depth under Section 5.1. Classical Key Authenticative Pre-Shared Key Handshake PQC Key 2000 1500 MSS 1000 500 0 ML-KEM-768 Hybrid ML-KEM-512 Hybrid X25519 14 4. Impact on Banks Quantum computing, especially the emergence of cryptanalytically-relevant quantum computers (CRQCs), is a major threat to the financial sector. As mentioned in Section 2, some of the encryption methods used by banks are not quantum-safe; thus, data, communication, and transactions are at risk. In 2023, the financial sector reported the second-highest amount of cyber attacks, mainly driven by economic and political motives. As a part of critical infrastructure, banks deal with large amounts of money and store a lot of personal information. The emergence of CRQCs will probably increase these threats, as nations will be among the first to obtain these , thus enabling more complex attacks. This section will explore these increasing risks and the impacts of regulations like GDPR and DORA. 4.1 Vulnerabilities, Advanced Persistent Threats, and Data Risks Banks handle vast amounts of personally HNDL: “Harvest now, decrypt later” identifiable information (PII), such as customer details, account information, and transaction One emerging threat from quantum histories. New entry points are introduced by the technology is known as “harvest now, many programs needed to manage this data, which decrypt later” (HNDL). This involves often include data warehouses, CRM systems, and capturing and storing encrypted data core banking systems. Also, banks are now more with the intention of decrypting it in the interconnected thanks to open banking APIs, but future when quantum computers there are also additional risks because malicious become powerful enough to break actors may use these APIs' flaws to gain access to current encryption methods. systems. These vulnerabilities can be used by advanced persistent threats (APT), to access sensitive data like social security numbers or financial holdings. This data needs to be kept safe for a long time, and is one of the main data handled by banks, making it one of the sectors with the longest data retention periods. It is especially vulnerable to HNDL (harvest now, decrypt later) attacks. HNDL attacks are particularly concerned for data with a long shelf life—information that remains sensitive or classified over years or decades. In the banking context, examples of such data include customer information, transaction records, trading strategies and more. Whether data is at rest (stored) or in transit (being transmitted), quantum computing poses significant risks to its security: Data at rest: For instance, if a quantum computer decrypts a customer database, hackers can steal and misuse information such as social security numbers, addresses, and identification numbers. Quantum-powered attacks could also crack the encryption of credit scores, investment portfolios, tax documents, and transaction records. 15 Data in transit: Quantum computing could intercept and decrypt data related to credit and debit card transactions, electronic fund transfers, and automated clearing house (ACH) transactions. Real-time payment data could be manipulated or intercepted, leading to fraud, loss of funds, and disrupted payment systems. Encrypted data shared with credit bureaus, financial advisors, and fintech partners could be decrypted, resulting in privacy breaches, regulatory non-compliance, and economic losses. Typically, banks are sizable organizations with extensive IT infrastructures, numerous applications, and intricate legacy systems. Due to the increased access points and susceptibility to cyberattacks, it becomes increasingly difficult to safeguard all potential weaknesses. Therefore, the shift to quantum-safe encryption for data will be extensive due to its magnitude and scope. This makes it even more important to consider these threats today. The longer the delay in starting this transition, the greater the risk of exposure to potential quantum attacks. 4.2 Regulatory Implications As the quantum threat evolves, businesses need to be safe, and acts are created to protect the sector. These regulations exist at national, continental, and even global levels, and it is anticipated that increased regulation will eventually force banks to transition to PQC. There are already a few examples today of indirectly mandating quantum-safe practices. In the EU, the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA) impose stringent data protection and cybersecurity requirements on financial institutions. Under GDPR, financial institutions must implement effective data protection measures to secure personal information. In light of the quantum era, encryption methods are necessary to be safe enough to withstand attacks from quantum computers. Inadequate protection results in data breaches being fined depending on the severity. For severe violations under Art. 83(5) GDPR, fines can reach up to 20 million euros or 4% of global turnover, whichever is higher, whereas less severe violations under Art. 83(4) GDPR can result in fines of up to 10 million euros or 2% of global turnover, whichever is higher. In addition to the GDPR, DORA indirectly pushes for quantum-safe systems. By ensuring that financial institutions can withstand, respond to, and recover from any ICT-related disturbance or threat, it seeks to improve their digital operational resilience, making quantum-safe systems even more relevant. DORA also requires an "oversight framework for critical ICT third-party providers," vendor oversight is crucial for being quantum-safe. Additionally, the act requires companies in the financial sector to conduct regular risk assessments, an important part of PQC migration, and implement robust ICT security policies against threats. The quantum threat is real and immediate, and if ICT must be considered, it means that both software and hardware must considered, and when doing so, they must also be quantum safe. Therefore, failing to transition to quantum-safe systems constitutes non-compliance with these regulations. Under GDPR and DORA, companies and individuals can be fined. GDPR Chapter 1 Article 4 allows for charges against "any natural or legal person, public authority, agency, or body" for violations. 16 At the same time, DORA can impose fines on "financial entities or, in some jurisdictions, directly on board members”. Therefore, the savings from avoiding these fines may outweigh the costs of the extensive transition to quantum-safe systems, providing a strong incentive for transitioning and complying. 17 5. Transitioning to PQC Organizations are categorized into three groups—urgent adopters, regular adopters, and cryptography experts—based on specific factors and determining the urgency to implement PQC. These groups assist organizations in prioritizing and planning their PQC adoption strategies. For more comprehensive details, please refer to the handbook, which considers the following factors: 1. Attack Surface: What infrastructure and systems are potentially vulnerable to quantum computing attacks? 2. System Types: What critical systems does the organization manage, and what would be the consequences of their failure? 3. Data Types: How sensitive and important is the data the organization handles? 4. Time Pressure: How urgent is it for the organization to adopt post-quantum cryptography (PQC)? 5. Dependency on other organizations: How dependent is the organization on partners and suppliers for security? 6. Threat Level: How likely is the organization to be targeted by quantum computing threats? Urgent adopters are organizations that must prioritize transitioning to post-quantum cryptography (PQC), especially those handling sensitive data or providing critical infrastructure, such as banks. As one of the most frequently targeted sectors for cyber attacks, as discussed in Section 4, banks are likely to be early targets for attackers using quantum computers. In this section, we will provide an introductory overview of how banks can prepare for and execute a PQC migration. While there are many detailed handbooks and companies that specialize in this area, our focus will be on offering a general introduction to the migration process. This includes understanding the fundamentals of PQC, evaluating current cryptographic systems, and planning a phased transition to new, quantum-resistant algorithms. 5.1 Preparations Inventory and prioritization The first step to migrating to PQC involves creating an inventory and prioritizing assets. Urgent adopters, such as banks, should begin working on this inventory as soon as possible. An early inventory enables the development of a plan and its implementation schedule, thus facilitating the overall process and lowering the costs. Postponing the migration may result in hasty decision-making and subsequent poor implementation, which is likely to be more expensive. As for the inventory, it should include an overview of the cryptographic landscape within the organization, detailing all cryptographic uses, including both software and hardware. This should cover the specifics of each cryptographic asset, such as the nature of the algorithms, key lengths, and their uses. The purpose is to identify which assets are vulnerable to quantum attacks and 18 to find quantum-safe replacements. For most organizations, a significant part of cryptographic assets (both software and hardware) is provided by external suppliers. Thus, one of the key aspects of the migration process is to check whether these suppliers are also moving to quantum-safe solutions or to look for new suppliers. For each vendor, it is crucial to describe all the products that are being used, as well as the contracts and contact information. It is also recommended to look at internal communication tools (IM and collaborative platforms) and shadow IT. This inventory process can be quite a cumbersome and time-consuming process, as has been seen with past cryptographic migrations. Nevertheless, there are tools that are being developed by NIST and other tools like testssl.sh that can help in understanding where and how cryptographic algorithms are used. Once the inventory is established, banks should conduct a risk assessment. This assessment evaluates potential threats posed by quantum computing to the identified assets. This assessment assesses the risks that quantum computing may pose to the identified assets. One of the most important aspects of this risk assessment is to set a time frame. Mosca's inequality, a framework that helps prioritize based on the time required to implement quantum-safe systems compared to when the quantum threat becomes realistic, can be helpful. The inequality is expressed as X + Y > Z, where X is the time needed to secure systems with quantum-resistant algorithms, Y is the time data needs to remain secure, and Z is the time until quantum computers can potentially break current methods. Mosca’s Inequality: Urgency to migrate X: Time needed to migrate to PQC Y: Time data needs to remain secure Z: Time until QCs can break current encryption Time Risk assessment should also consider the potential impact of data breaches, the cost of implementing new cryptographic solutions, and the regulatory and compliance implications, such as those mentioned in the introduction, of failing to protect sensitive data adequately. By assessing these risks, organizations can prioritize their migration efforts, focusing first on the most critical systems and data. Early planning and proactive measures help organizations avoid the pitfalls of a rushed migration, which can lead to costly mistakes and security vulnerabilities. Crypto-agility Crypto-agility is important for being ready for the post-quantum world and other emerging risks. As will be discussed in the case studies presented in Section 6, most companies highlight the need for crypto-agility after implementing some quantum-safe parts. Being crypto-agile means the capability of easily modifying the protocols, products, and systems to enable the swapping of 19 algorithms without having to make drastic changes to the overall system structure. This readiness is not something that can be purchased but requires an integrated approach involving structured coordination of people, processes, and people. This readiness also extends beyond merely identifying at-risk assets; it also includes the ability to switch vendors or suppliers unable to provide quantum-safe products, ensuring that the entire cryptographic infrastructure remains secure and up-to-date. Cryptographic implementations, especially those embedded in legacy systems, may require updates as new vulnerabilities are discovered and new standards are established. For instance, two of NIST's top candidates, the SIKE and Rainbow algorithms, mentioned in Section 3, were considered secure but later broken in 2022. This underscores the importance of crypto-agility, not only for migrating to quantum-safe algorithms but also for the ability to switch to alternative algorithms if a standardized solution is broken, as they are still relatively new. Therefore, crypto- agility is especially relevant when migrating only certain assets before standardized algorithms are released and validated implementations are available. In contrast to classical cryptography, where standards are clearly defined, PQC requires a more adaptable approach because it demands greater hardware resources. As a result, organizations need to assess whether their existing hardware infrastructure can support PQC and, if not, consider alternative solutions like upgrades or replacements. To foster cryptographic agility, organizations should adopt several practices: Designing flexible systems: Create new and updated systems that separate cryptographic operations from core application logic, utilizing high-level libraries, cloud services, or external key management systems. Incorporate these systems into (CI/CD) pipelines to further guarantee their adaptability. Vendor and supplier management: Include vendors in the inventory and keep a list of all vendors and suppliers. This inventory should list the products being used, the contracts that are still in force and the contact information of the suppliers. Education and awareness: Implement regular training sessions and initiate awareness campaigns to keep all employees informed about cryptographic practices and agility. Preparing for PQC with Zero-Trust Integration By combining Zero Trust Architecture (ZTA) with Post-Quantum Cryptography (PQC), organizations can create a robust security model that protects against current and future threats, including those posed by quantum computing. When implementing ZTA or PQC, companies must quickly adjust to changing standards and risks, highlighting the necessity for crypto-agility. Without this flexibility, the transition to new architecture can be challenging. Nonetheless, a combined ZTA and PQC approach offers an effective and future-proof solution. Zero Trust Architecture necessitates a thorough inventory of cryptographic assets, including hardware, keys, and certificates, which makes the transition to PQC easier. This pre-existing inventory allows for a more efficient risk assessment and prioritization, saving time and 20 resources. Since ZTA and PQC have similar system components that need updates, implementing them simultaneously is generally more effective than updating systems one at a time. These include unified key management systems, updated libraries and software, and Identity and Access Management (IAM) systems Continuous management and improvement of identity, access, and encryption are essential in maintaining a secure system. This is particularly true when implementing a Zero Trust Network Access framework with Post-Quantum Cryptography (PQC). PQC can significantly reduce vulnerabilities within such a framework, impacting key areas such as identity (for both person and non-person entities), credentials, access management, operations, endpoints, hosting environments, and interconnecting infrastructure. Since trust is a unifying factor in security, achieving crypto-agility is not just important but critical in these systems and is often accomplished during transitions to either ZTA or PQC, making a combined implementation logical and beneficial for creating secure and robust systems. 5.2 Considerations when Migrating Several aspects need to be considered when conducting the necessary transition to maintain security both throughout the migration and after its conclusion. By understanding the primitives and protocols in use, the transition can be made more sound and effective. In this context, primitives in this instance include but are not limited to, key exchange methods, digital signature authentication, encryption, and hash functions. Key encryption mechanisms (KEMs) and digital signatures (DSA), covered in Section 3.1, presented several PQC alternatives. As further discussed in Section 3.2, hybrid solutions are a viable option as they are both classically secure and quantum-safe. Several open-source projects containing such solutions give companies a head start as they only have to integrate them into existing systems and make adjustments when necessary. All companies that store information digitally have to perform this migration, and learning from what others have done, following their successes, and avoiding their mistakes will make the migration more effective and save resources. Hash functions were briefly mentioned whilst covering BHT in Section 2.2, where it was stated that BHT reduces relative security by a sixth compared to what it is today. The security is directly related to the output size of the hashing function, therefore with an increased output size the relative security will not change. Similarly, symmetric algorithms are affected by Grover’s algorithm, reducing their security by half, which can be mitigated by doubling their size (i.e., using AES-384 to satisfy NIST’s third security level). Neither requires any large scale changes, updating the sizes of hashes and symmetric algorithms should at worst solely have an impact on performance since more data is processed. In the case of key exchange methods, QKD is the optimal solution, but as the required equipment still is underway, other solutions must be explored. One such alternative is to continue the use of classical key exchanges but having the utilizing KEM instead of classical key encryption methods. This allows for the key to be securely contained, so that even if the key is intercepted by a malicious third party it cannot be recovered. 21 The associated protocols aims to ensure a smooth transition and to avoid creating vulnerabilities during or after the implementation. Some have already been implied, such as the recommended KEM-hybrids and dual signatures as substitutes for classical key encryptions and signatures wherever they are used. These protocols must be fulfilled by the time CRQCs are available to To ensure confidentiality and integrity, testing should start sooner rather than later to discover necessary changes (possibly hardware upgrades) and gain sufficient experience before transitioning. KEM + Classic Distribution QKD Client Server Client Server An issue that might arise is that some solutions that function well for certain devices that can adjust hardware components easier, but not necessarily for those who have hardware limitations even when considering alternatives. Such cases further motivate the employment of crypto agility as it ensures that some devices can become secure while finding a solution for the remaining ones. When a suitable solution is then found, another migration can be done to quantum-secure the remaining devices. If the newfound solution is adequate for the previous devices they could possibly migrate once more. Different device, different migration In addition to the recommended technical aspects, there are also social aspects needed for a full migration to a post-quantum secure environment. As discussed in Section 2.4 on AI, there is a risk that AI circumvents technical security by targeting the human operating it. Similarly, an understanding of quantum computers should exist in the workplace. This can be achieved 22 through seminars, workshops, and similar activities meant to engage relevant personnel and create awareness. Making this learning complex is not necessary as a fundamental understanding is sufficient to reduce the risk of simple mistakes, Lastly, the end goal should always be considered. We, therefore, offer a checklist that can outline some of the necessary milestones to achieve post-quantum security. The list is not considered final, as future events could introduce new aspects that must be adhered to. Furthermore, it is meant to serve as a guideline rather than an absolute mandate. 23 Post-Quantum Migration Checklist Inventory Prioritization Crypto Agility Adjust sizes Hybrid solutions Educate personnel Complete PQC solutions Continue to update 24 6. Case studies Quantum computers are an emerging threat, and implementing quantum-safe algorithms and methods can appear challenging. However, a few early adopters are already taking the charge of addressing this threat due to their unique vulnerabilities and needs. Which organizations should be the early adopters? Businesses with long data retention periods Highly regulated businesses Critical infrastructure providers Banks are prime examples that embody all three categories. They handle vast amounts of personal data, are heavily regulated by entities such as the EU through DORA and GDPR mentioned in Section 4, and are considered critical infrastructure. This makes them key candidates for early adoption of post-quantum cryptography (PQC). In addition to banks, other major organizations are also transitioning to quantum-secure cryptography. This section will explore how companies in different fields, with a primary focus on banking, are working towards quantum security. 25 6.1 Industry Examples Cloudflare: Hybrid key exchange Cloudflare has implemented a hybrid approach to key agreements by integrating classical elliptic-curve cryptography (ECC) with the quantum-safe algorithm ML- KEM. Specifically, they are using a combination of X25519 and a preliminary version of ML-KEM-768 for their TLS connections. Since 2022, Cloudflare has been deploying post-quantum cryptography and aims for widespread adoption of these algorithms across its services by 2024. Currently, they use a preliminary version of ML-KEM, which will be updated to the finalized version once it is published by NIST. This initiative is designed to protect web traffic and ensure secure communication channels between users and servers worldwide. IBM: Dual-signing schemes IBM has been pivotal in developing and implementing several quantum-safe methods selected by NIST. Their active involvement began with the NIST competition and has continued robustly since the selection of the initial algorithms. IBM focuses on securing data and communication for enterprise clients in sectors such as government, finance, and healthcare. With the IBM z16 mainframe system, application developers can ensure the future integrity of critical documents using dual-signing schemes with the lattice-based cryptographic algorithm ML-DSA, which NIST has chosen for standardization [7.2]. Santander: Detection tools for quantum-vulnerable algorithms Santander, in collaboration with GitHub, is addressing the challenges presented by quantum cryptography. Along with Microsoft, they developed CodeQL, a powerful tool to help developers identify vulnerabilities that could be exploited by hackers [7.3]. Santander played a key role in developing the CBOM called Cryptobom-Forge, which utilizes GitHub's CodeQL output. This tool allows developers to analyze and understand the components of their software, providing insight into their vulnerability to quantum attacks. 26 JPMorgan Chase: Quantum key distrubution JPMorgan Chase is investing heavily in quantum-safe cryptographic solutions to secure financial transactions, being an active member of the Post- Quantum Cryptography Alliance (PQCA). Alongside Toshiba and Ciena, JPMorgan Chase has successfully launched a high-speed quantum-secured crypto- agile network (Q-CAN) using quantum key distribution (QKD) to secure multiple high-speed VPNs between two data centers over 46 km of telecom fiber in Singapore [7.4]. This setup operated continuously for 45 days, maintaining impressive throughput and key refresh rates without impacting performance. This initiative is part of a broader strategy to safeguard sensitive data against emerging quantum threats by integrating QKD with existing infrastructure. The bank's commitment to quantum security addresses potential risks posed by future large-scale quantum computers, highlighting the increasing importance of quantum-secured technologies in ensuring data confidentiality and integrity. Bank of France and Deutsche Bundesbank: Hybrid VPN tunnel Project Leap, a joint initiative by the BIS Innovation Hub Eurosystem Centre, the Bank of France, and Deutsche Bundesbank, aims to quantum-proof the financial system by implementing quantum-resistant virtual private networks (VPNs) for central banks. In its first phase, the project tested post-quantum cryptographic (PQC) algorithms like ML-KEM, FrodoKEM, ML-DSA, FN-DSA, and SLH-DSA, integrated with a modified IPsec solution, strongSwan [7.5]. The project demonstrated that these PQC algorithms could work alongside traditional cryptography in a hybrid setup, ensuring data confidentiality, integrity, and authentication with high throughput and efficient key refresh rates. The project focused on crypto-agility, enabling smooth transitions between cryptographic schemes as standards evolve. It addressed the trade-off between security and performance, highlighting the need for application-specific security configurations. A second phase is planned to explore additional network architectures, test different hardware, and include more banks in the process. 27 6.2 Lessons learned The journey towards adopting quantum-safe cryptography has provided invaluable lessons for organizations across various sectors. These insights highlight the complexities and requirements of securing data against future quantum threats, as well as strategies for successful implementation. Necessity of crypto-agility One of the key lessons learned is the importance of crypto-agility. As quantum computers increasingly threaten traditional cryptographic methods, organizations must be prepared to swiftly transition to quantum-safe algorithms and maintain agility to adapt if current algorithms are compromised. This capability also supports a smoother transition from hybrid to fully quantum secure systems, enhancing performance by cutting out the classical part so both are not used, which significantly can worsen performance. Almost all companies underscore the importance of crypto-agility so that infrastructure can handle protocol upgrades seamlessly without disrupting operations. An example particularly highlighting the need for high cryptographic agility is the testing phase of Project Leap. Systems with this flexibility are better prepared for the shift to quantum-safe cryptography. While the key exchange mechanisms used can easily accommodate post-quantum algorithms, the digital signatures required additional configuration to recognize new algorithms during the project. The use of X.509 certificates, which support public key management through digital signatures, was noted for their agility [7.5]. Another key takeway is the importance of upgrading systems lacking this flexibility, especially in hardware such as HSMs, firewalls, and smart cards [7.5]. Central banks and other institutions should assess their systems and plan for necessary upgrades to ensure they maintain security across all states of data: in transit, at rest, and in use. Just as we lock our doors at night to keep our homes safe, cryptographic agility ensures that our digital world remains secure, now and in the years to come. Skip Sanzeri, COO at QuSecure 28 Importance of collaboration Collaboration across industries is essential for the successful adoption of PQC. Numerous companies mentioned in case studies have partnered with others to leverage shared resources and expertise to tackle common challenges. Initiatives such as Project Leap, the Post-Quantum Cryptography Alliance (PQCA), and Santander's collaboration with GitHub and Microsoft, as well as JPMorgan Chase's partnerships with Toshiba and Ciena, demonstrate the benefits of pooling resources and expertise. The transition to quantum-secure systems requires a range of specialized expertise, including roles such as cryptographers, cybersecurity analysts, software developers, hardware engineers, and cloud architects. Collaborating with partners allows organizations to address knowledge gaps, which are widespread across many sectors. A 2023 study revealed that nearly all organizations experience cybersecurity skills gaps, with 92% of cybersecurity professionals noting shortages in one or more areas. Moreover, 43% identified significant or critical skills gaps within their organizations. These gaps cover both technical skills, such as penetration testing and Zero Trust implementation, and non-technical skills, such as communication and project management. This implies that collaboration is essential for addressing these gaps and successfully implementing new systems. Trade-off between security and performance There is a notable trade-off between the level of security and system performance. Higher security often necessitates greater computational resources, leading to slower performance. For instance, certain post-quantum algorithms like ML-KEM performed better at higher security levels than others like FrodoKEM [7.5]. This trade-off must be carefully managed, especially in performance-sensitive applications like instant payments or central bank digital currencies (CBDC). Balancing security and efficiency is critical to ensuring the systems remain secure and functional during the transition period and beyond. Testing and validating for performance and suitability Extensive testing and validation are crucial for ensuring the chosen post-quantum cryptographic solutions are appropriate for different use cases. Companies like JPMorgan Chase have conducted thorough testing across various algorithms and configurations, identifying the most suitable solutions for their needs. For instance, in Project Leap, ML-KEM's speed makes it ideal for applications requiring rapid processing, while Falcon's efficiency in handling numerous signatures is valuable for certain financial operations. These findings underscore the importance of a tailored approach in selecting cryptographic algorithms, ensuring that they meet each organization's unique operational and security requirements. 29 Conclusion 7.1 Summary of Key Findings Based on these considerations, we recommend a comprehensive strategy for migrating to post- quantum cryptography, which can be categorized into three phases: before, during, and after migration. Assess and plan Evaluate systems: Inventory all cryptographic assets, both software and hardware, and assess vulnerabilities using frameworks like Mosca's inequality. Resource assessment: Determine necessary resources (time, expertise, costs). Risk assessment: Prioritize critical systems and data, develop mitigation strategies and evaluate current supplier capabilities for Before migration quantum-safe solutions. Objectives and timeline: Set clear objectives and a timeline for transitioning to PQC, based on threat levels and data sensitivity. Create crypto-agile systems System agility: Identify where systems are not agile, and which strategies are most effective for crypto-agility. Education: Ensure that your team is well-versed in both classical and post-quantum cryptographic principles. Implement hybrid solutions Hybrid solutions: Gradually implement classical and post-quantum hybrid solutions. Testing: Validate new solutions for performance and security. During migration Best practices Collaborate: Work with industry peers, researchers, and standards organizations for insights and assistance in implementing hybrid cryptography. Case studies: Learn from successful migrations by other organizations. Ongoing monitoring Performance: Continuously monitor system performance and security. Security: Regularly assess for vulnerabilities, especially quantum-related. Review and improve Review process: Evaluate the migration, noting successes and areas for After migration improvement. Feedback: Gather feedback from employees and stakeholders for continual enhancement. Employee training Continued education: Keep employees updated on cryptographic security trends. Support system: Offer resources and guidance to facilitate a smooth transition to new systems. 30 7.2 Final Thoughts The rise of quantum computing is not a distant future; it is an impending reality that threatens to upend the foundations of digital security. The question is not one of if, but when quantum computers will be capable of breaking our current cryptographic systems. As quantum capabilities evolve, so too must our defenses. This demands a robust, flexible infrastructure capable of rapidly integrating new cryptographic standards. Institutions that proactively implement quantum-resistant solutions will not only safeguard their sensitive data and maintaining regulatory compliance, but also the legacy and future of the financial sector. This leadership can become a defining characteristic, distinguishing forward-thinking organizations from those that react too late. Our legacy should be one of foresight and resilience, not of failure to act in the face of known threats. 31 8. Appendix Appendix A Post-Quantum Cryptography algorithms NIST Public Key Private Signature Use Algorithm and Foundation security Size Key Size Size level (Bytes) (Bytes) (Bytes) ML-DSA-44 2 1312 2560 2420 ML-DSA (Lattice ML-DSA-65 3 1952 4032 3309 based) ML-DSA-87 5 2592 4896 4627 FN-DSA-512 1 897 1281 752 FN-DSA (Lattice based) FN-DSA-1024 5 1793 2305 1462 DSA SLH-DSA-128s 1 32 64 7856 SLH-DSA (Stateless SLH-DSA-192s 3 48 96 16224 hash- based) SLH-DSA-256s 5 64 128 29792 MAYO-2 1 5488 24 321 MAYO (Oil and MAYO-3 3 2656 32 577 Vinegar- based) MAYO-5 5 5008 40 838 32 NIST Public Key Private Ciphertext Use Algorithm and Foundation security Size Key Size Size level (Bytes) (Bytes) (Bytes) ML-KEM-512 1* 800 1632 768 ML-KEM (Lattice ML-KEM-768 3 1184 2400 1088 based) ML-KEM-1024 5 1568 3168 1568 Classic- McEliece- 1 261120 6492 96 348864 Classic Classic- McEliece McEliece- 3 524160 13608 156 (Code- 460896 based) Classic- McEliece- 5 1044992 13932 208 KEM 6688128 BIKE-L1 1 1541 5223 1573 BIKE (Code- BIKE-L3 3 3083 10105 3115 based) BIKE-L5 5 5122 16494 5154 HQC-128 1 2249 2305 4433 HQC (Code- HQC-192 3 4522 4586 8978 based) HQC-256 5 7245 7317 14421 *ML-KEM-512 has been discussed to not meet NIST’s first security level. NIST adressed this issue during the fifth PQC conference, during which they announced they still believed it to be sufficiently secure [9.1]. 33 Appendix B Further Reading The Quantum Threat Timeline Report 2023 by Dr. Michele Mosca and Dr. Marco Piani of evolutionQ Inc. details when quantum computers might become capable of breaking current cryptographic algorithms like RSA and ECC, which are fundamental to today's cybersecurity. The report underscores the urgent need for transitioning to quantum-safe cryptography to mitigate these looming risks, providing a timeline that guides policymakers, businesses, and researchers in their preparations. Minimizing the Risks: Quantum Technology and Financial Services (November 2023) explores the significant risks and opportunities quantum computing presents to the financial sector. While the technology promises advancements in areas like risk optimization and fraud detection, it also poses a threat to current cryptographic systems, which could be compromised by future quantum computers. The report stresses the urgency of adopting quantum-safe measures and offers guidelines for financial institutions to mitigate these risks and secure their systems against emerging quantum threats. The PQC Migration Handbook (Version 2 - December 2023), from the Cryptology Group of the Netherlands National Communications Security Agency, is a thorough guide for transitioning to post-quantum cryptography (PQC). It provides essential strategies and best practices for organizations to migrate to quantum-resistant cryptographic methods, addressing quantum threats and the importance of early planning. This handbook is vital for those seeking to protect their systems against future quantum computing threats. Project Leap (June 2023) is a strategic initiative dedicated to advancing quantum-resistant technologies to protect critical infrastructures against quantum computing threats. The project offers a roadmap for organizations to assess their cryptographic systems, identify vulnerabilities, and implement quantum-safe solutions. It emphasizes collaboration across industry, government, and academia to accelerate the adoption of post-quantum cryptography, providing practical steps for a smooth transition to quantum safety. NIST’s standardization papers. NIST is expected to release FIPS 203, 204, 205 for ML-KEM, ML- DSA, and FN-DSA, respectively, in late summer or early fall of 2024. The standardization paper for FN-DSA is delayed due to implementation complexity. When these papers are released they are of great value as they should offer more insight into how the algorithms can and should be used. Furthermore, SP 800-227 will cover general guidance for KEM and will also be valuable, but it has no set time when it is expected to be release. 34 9. References Kleinjung, T., Aoki, K., Franke, J., Lenstra, A., Thomé, E., Bos, J., Gaudry, P., Kruppa, A., Montgomery, P., Osvik, D. A., te Riele, H., Timofeev, A., & Zimmermann, P. (2010). Factorization of a 768-bit RSA modulus. Cryptology ePrint Archive, Paper 2010/006. https://eprint.iacr.org/2010/006 Borgeaud, A. (2023, August 10). Motivations for hacking worldwide 2022. Retrieved from [https://www.statista.com/statistics/800917/worldwide-reasons-for-hacking/] Vahromovs, V. (2021, November 22). Legacy systems in banking: The major barrier for digital transformation. Intellectsoft. Retrieved from [https://www.fintechfutures.com/2021/11/legacy- systems-in-banking-the-major-barrier-for-digital-transformation/] Schneider, J., & Smalley, I. (2024, February 28). What is a qubit?. IBM. Retrieved from https://www.ibm.com/topics/qubit Microsoft. (n.d.). Explore quantum entanglement. Retrieved from https://quantum.microsoft.com/en-us/explore/concepts/entanglement Wootters, W., & Zurek, W. (1982). A single quantum cannot be cloned. Nature, 299(5886), 802– 803. https://doi.org/10.1038/299802a0 Roffe, J. (2019). Quantum error correction: An introductory guide. Contemporary Physics. arXiv. https://doi.org/10.48550/arXiv.1907.11157 TechHQ. (2021, October 28). China has quantum computers that are 1 million times more powerful than Google’s. TechHQ. Retrieved from https://techhq.com/2021/10/china-has-quantum- computers-that-are-a-million-times-more-powerful-than-googles/ IBM. (2022, November 9). IBM unveils 400 qubit-plus quantum processor and next-generation IBM Quantum System Two: Company outlines path towards quantum-centric supercomputing with new hardware, software, and system breakthrough. IBM Newsroom. Retrieved from https://newsroom.ibm.com/2022-11-09-IBM-Unveils-400-Qubit-Plus-Quantum-Processor-and-Next- Generation-IBM-Quantum-System-Two Atom Computing. (2023, October 24). Quantum startup Atom Computing first to exceed 1,000 qubits. Atom Computing. Retrieved from https://atom-computing.com/quantum-startup-atom- computing-first-to-exceed-1000-qubits/ IBM. (2024, May). Quantum computing roadmap. Retrieved from https://www.ibm.com/roadmaps/quantum.pdf 35 Google Quantum AI. (n.d.). Quantum computing service map. Retrieved from https://quantumai.google/learn/map Brooks, M. (2023, January 6). What’s next for quantum computing: Companies are moving away from setting qubit records in favor of practical hardware and long-term goals. MIT Technology Review. Retrieved from https://www.technologyreview.com/2023/01/06/1066317/whats-next-for-quantum-computing/ Fowler, A. G., Mariantoni, M., Martinis, J. M., & Cleland, A. N. (2012). Surface codes: Towards practical large-scale quantum computation. Physical Review A, 86, 032324. https://doi.org/10.48550/arXiv.1208.0928 Gidney, C., & Ekerå, M. (2021). How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. Quantum, 5, 433. https://doi.org/10.48550/arXiv.1905.09749 Choi, C. Q. (2024, April 3). Microsoft tests new path to reliable quantum computers: 1,000 physical qubits for each logical one? Try a dozen, says Redmond. IEEE Spectrum. Retrieved from https://spectrum.ieee.org/microsoft-quantum-computer-quantinuum Google Quantum AI. (2023). Suppressing quantum errors by scaling a surface code logical qubit. Nature, 614, 676–681. https://doi.org/10.1038/s41586-022-05434-1 Eagar, R., Könnecke, L., & Ezratty, O. (2022, May). Quantum computing: The state of play and what it means for business. Arthur D. Little. Retrieved from https://www.adlittle.com/nl- en/insights/viewpoints/quantum-computing Gagliardoni, T. (2021, August 24). Quantum attack resource estimate: Using Shor’s algorithm to break RSA vs DH/DSA vs ECC. Kudelski Security. Retrieved from https://research.kudelskisecurity.com/2021/08/24/quantum-attack-resource-estimate-using- shors-algorithm-to-break-rsa-vs-dh-dsa-vs-ecc/ Shor, P. W. (1994). Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science (pp. 124-134). IEEE. https://doi.org/10.1109/SFCS.1994.365700 Bavdekar, R., Chopde, E. J., Bhatia, A., Tiwari, K., & Daniel, S. J. (2022). Post quantum cryptography: Techniques, challenges, standardization, and directions for future research. arXiv preprint arXiv:2202.02826. Grover, L. K. (1996). A fast quantum mechanical algorithm for database search. In Proceedings of the twenty-eighth annual ACM symposium on Theory of Computing (pp. 212-219). ACM. https://doi.org/10.1145/237814.237866 36 Brassard, G., Hoyer, P., & Tapp, A. (1997). Quantum algorithm for the collision problem. arXiv preprint quant-ph/9705002. Comandar, L., Bobier, J.-F., Coden, M., & Deutscher, S. A. (2021, March 30). Ensuring online security in a quantum future. Boston Consulting Group. Retrieved from https://www.bcg.com/publications/2021/quantum-computing-encryption-security Xu, T., & Whitfield, B. (2024, February 8). Cryptographers are racing against quantum computers: Today’s security schemes will soon be obsolete. Built In. Retrieved from https://builtin.com/articles/post-quantum-cryptography Temkin, M. (2024, January 17). Quantum computing deals hit record count in 2023. PitchBook. Retrieved from https://pitchbook.com/news/articles/quantum-computing-vc-record-deals-2023 Liu, Y., Zhang, W. J., Jiang, C., Chen, J. P., Zhang, C., Pan, W. X.,... & Pan, J. W. (2023). Experimental twin-field quantum key distribution over 1000 km fiber distance. Physical Review Letters, 130(21), 210801. Wang, L. J., Zhang, K. Y., Wang, J. Y., et al. (2021). Experimental authentication of quantum key distribution with post-quantum cryptography. npj Quantum Information, 7, 67. https://doi.org/10.1038/s41534-021-00400-7 Mengoni, R., Ottaviani, D., & Iorio, P. (2020). Breaking RSA security with a low noise D-Wave 2000Q quantum annealer: Computational times, limitations and prospects. arXiv preprint arXiv:2005.02268 NVIDIA. (n.d.). Blackwell architecture. Retrieved from https://www.nvidia.com/en-us/data- center/technologies/blackwell-architecture/ Guembe, B., Azeta, A., Misra, S., Osamor, V. C., Fernandez-Sanz, L., & Pospelova, V. (2022). The Emerging Threat of Ai-driven Cyber Attacks: A Review. Applied Artificial Intelligence, 36(1). https://doi.org/10.1080/08839514.2022.2037254 National Institute of Standards and Technology. (2016, December 20). NIST asks public to help future-proof electronic information. NIST. Updated January 8, 2018. Retrieved from https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic- information National Institute of Standards and Technology. (2020, July 22). PQC standardization process: Third round candidate announcement. NIST. Created July 20, 2020. Updated July 22, 2020. Retrieved from https://csrc.nist.gov/News/2020/pqc-third-round-candidate-announcement 37 The NIST PQC Team. (2022, July 5). PQC standardization process: Announcing four candidates to be standardized, plus fourth round candidates. NIST. Created March 24, 2022. Updated February 6, 2023. Retrieved from https://csrc.nist.gov/News/2022/pqc-candidates-to-be- standardized-and-round-4 Alagic, G., Apon, D., Cooper, D., Dang, Q., Dang, T., Kelsey, J., Lichtinger, J., Miller, C., Moody, D., Peralta, R., Perlner, R., Robinson, A., Smith-Tone, D., & Liu, Y.-K. (2022). NIST IR 8413-upd1: Status report on the third round of the NIST post-quantum cryptography standardization process. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.IR.8413-upd1 Savage, N. (2023, November 1). Keeping secrets in a quantum world: Cryptographers are preparing for new quantum computers that will break their ciphers. Spotlight. Correction published November 16, 2023. Beullens, W. (2022). Breaking Rainbow takes a weekend on a laptop. Cryptology ePrint Archive, Paper 2022/214. Retrieved from https://eprint.iacr.org/2022/214 Moody, D. (2024, April 10-12). Fifth PQC Standardization Conference [Conference presentation]. National Institute of Standards and Technology. Retrieved from https://csrc.nist.gov/Events/2024/fifth-pqc-standardization-conference Beullens, W., D’Anvers, J.-P., Hülsing, A., Lange, T., Panny, L., de Saint Guilhem, C., & Smart, N. P. (2021). Post-quantum cryptography: Current state and quantum mitigation (2nd ed.). European Union Agency for Cybersecurity (ENISA). https://doi.org/10.2824/92307. ISBN: 978-92-9204-468-8 Konkel, F. (2013, September 6). What NSA's influence on NIST standards means for feds. FCW. Retrieved from https://web.archive.org/web/20130910030443/http://fcw.com/Articles/2013/09/06/NSA-NIST- standards.aspx Sparkes, M. (2023, October 10). Mathematician warns US spies may be weakening next-gen encryption. New Scientist. Retrieved from https://www.newscientist.com/article/2396510- mathematician-warns-us-spies-may-be-weakening-next-gen-encryption/ Söderling, P., & Hannon, D. (2024). How Asian countries are addressing post-quantum cryptography: Part two in QSI’s series of global cryptography reports. Quantum Strategy Institute. Retrieved from https://quantumstrategyinstitute.com/wp- content/uploads/2024/02/How-Asian-Countries-are-Addressing-Post-Quantum-Cryptography.pdf European Commission. (n.d.). The European Quantum Communication Infrastructure (EuroQCI) Initiative. Retrieved from https://digital-strategy.ec.europa.eu/en/policies/european- quantum-communication-infrastructure-euroqci 38 Pirandola, S. (2021). Satellite quantum communications: Fundamental bounds and practical security. Physical Review Research, 3(2), 023130. Westerbaan, B. (2024, March 5). The state of the post-quantum Internet. Cloudflare Blog. Retrieved from https://blog.cloudflare.com/pq-2024 Lin, S., Tan, J., Asogamoorthy, A., Nekritz, K., Misoczki, R., & Delimanolis, S. (2024, May 22). Post- quantum readiness for TLS at Meta. Meta Engineering Blog. Retrieved from https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/ National Institute of Standards and Technology. (2023, December). FAQ on Kyber512. Retrieved from https://csrc.nist.gov/csrc/media/Projects/post-quantum- cryptography/documents/faq/Kyber-512-FAQ.pdf IBM X-Force. (2024). IBM X-Force Threat Intelligence Index 2024. IBM. https://www.ibm.com/account/reg/us-en/signup?formid=urx-52629 Paine, K. (2023, August 11). CRQCs: Cryptographically relevant quantum computers. Splunk. Retrieved August 7, 2024, from https://www.splunk.com/en_us/blog/learn/crqcs- cryptographically-relevant-quantum-computers.html Art. 83 GDPR – General conditions for imposing administrative fines - General Data Protection Regulation (GDPR). (2018, March 29). Retrieved from https://gdpr-info.eu/art-83-gdpr/ European Union. (2022). Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014. Official Journal of the European Union, L 333, 16 December 2022, pp. 1–79. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=FR CMS. (2023). Digital Operational Resilience Act (DORA) Regulation Guide. Retrieved from https://cms.law/en/int/publication/digital-operational-resilience-act-dora-regulation-guide Attema, T., Diogo Duarte, J., Dunning, V., Lequesne, M., van der Schoot, W., & Stevens, M. (2023, March). The PQC migration handbook: Guidelines for migrating to post-quantum cryptography. ISARA Corporation. (2020). Managing cryptographic and quantum risk. ISARA Corporation. Retrieved from https://www.isara.com/downloads/guides/Managing%20Cryptographic%20and%20Quantum%20 Risk.pdf 39 Mosca, M. (2018). Cybersecurity in an era with quantum computers: Will we be ready? ResearchGate. https://www.researchgate.net/publication/328255449_Cybersecurity_in_an_Era_with_Quantum_C omputers_Will_We_Be_Ready Patil, K. (2024, August 1). 8 essential considerations for post-quantum cryptography migration. Security Boulevard. Retrieved from https://securityboulevard.com/2024/08/8- essential-considerations-for-post-quantum-cryptography-migration/ Sheik, B. (2024, May 13). Post-quantum cryptography will strengthen zero trust architecture. Retrieved from https://www.qnulabs.com/post-quantum-cryptography-zero-trust/ Fortanix. (2024, February 1). Zero trust and PQC with Fortanix DSM. Retrieved from https://www.fortanix.com/resources/solution-briefs/zero-trust-and-pqc-with-fortanix-dsm Available on IBM z16: Future-proof digital signatures with a quantum-safe algorithm selected by NIST. (2022, July 26). IBM Blog. Retrieved from https://www.ibm.com/blog/announcement/available-on-ibm-z16-future-proof-digital-signatures- with-a-quantum-safe-algorithm-selected-by-nist/ Santander. (2024, July 3). The future for customer data security: post-quantum cryptography. Retrieved from https://www.santander.com/en/stories/the-future-for-customer-data-security- post-quantum-cryptography Alia, O., Huang, A., Luo, H., Amer, O., Pistoia, M., & Lim, C. (2024, May 7). 100 Gbps Quantum-safe IPsec VPN Tunnels over 46 km deployed fiber. Retrieved from https://arxiv.org/abs/2405.04415 [7.5] Project Leap: Quantum-proofing the financial system. (2023, June 5). Retrieved from https://www.bis.org/publ/othp67.htm International Information System Security Certification Consortium, Inc. (ISC2). (2023). Cybersecurity Workforce Study 2023. ISC2. https://www.isc2.org/-/media/Project/ISC2/Main/Media/documents/research/ISC2_Cybersecurity _Workforce_Study_2023.pdf Dang, Q. (2024, April 10-12). Fifth PQC Standardization Conference [Conference presentation]. National Institute of Standards and Technology. Retrieved from https://csrc.nist.gov/Events/2024/fifth-pqc-standardization-conference 40