Before PQC diagnosis, you should choose what persona you identify with.
The three main PQC personas are listed below. Division is based on the following characteristics.
- Attack surface: What infrastructure does the organisation provide/have which is prone to attacks aided by a quantum computer?
- System types: Which kind of systems are handled and what is the impact of a malfunction of these systems?
- Data types: Which kind of data and information is handled in terms of criticality, disclosure sensitivity and the consequences of unauthorised and undetected modification?
- Time pressure: How quickly does PQC migration need to take place to ensure safety of data and systems, taking into account store-now-decrypt-later attacks?
- Dependency on other organisations: How do different organisations depend on one another?
- Threat level: How realistic is it that a malicious actor with a quantum computer will choose to attack this organisation?
Urgent adopters 🚨❗
Urgency: Start PQC diagnosis as soon as possible
Type of organisations
- Organisations that handle personal data with a long confidentiality span (risk for store-now-decrypt-later attacks). E.g. Governments, organisations in healthcare such as hospitals, financial organisations and insurance providers. There are currently no laws in place for protecting personal data against quantum computers or the use of PQC to mitigate it. Note: The owners may be held responsible in case a quantum computer is used to decrypt data which is currently being stored.
- Organisations that handle organisationally sensitive data with a long confidentiality span (risk for store-now-decrypt-later attacks). E.g. State secrets, transactions, minutes, trade secrets, and any information which is classified for entities outside of the organisation. Examples of such organisations are the military, national intelligence organisations, governments, financial organisations, knowledge institutes and universities. Impact of such data breach would be: breaking laws regarding personal information, losing (some of) its competitive advantage in the market, a loss of knowledge or state security, or a general negative impact on the entire economy.
- Organisations that provide systems that are crucial for the functioning of large groups of people, e.g. towns, cities, provinces or even countries. Systems that provide things such as water, electricity, transport, communication and healthcare. Daily lives may be disrupted. It may cause serious damage, injury or even death. Malware or ransomware have shown how disruptive it can be for malfunctioning of such systems. Examples of critical infrastructure providers are energy or water providers, transport organisations such as train companies or airports, communication companies such as telecom providers, web browsers and healthcare providers such as hospitals.
- Organisations that provide systems which are built to have a long life-span. Post-quantum cryptography usually has different (usually heavier) hardware requirements than current cryptography, because of which the production of systems with a lifespan of more than 20 years should already take these hardware requirements into account. Examples are satellites, payment terminals, cars, telecommunication networks, energy providers, smart meters, smart industry (4.0) and sensor networks.
Any organisation that does not identify as any of the urgent adopter personas.
As organisation you do:
- Handle data
- Provide systems
However, the data is:
- Not prone to store-now-decrypt-later attacks
- Not critical or long-lived
- May be prone to attacks using a quantum computer
- Beneficial to await further standardisation
Urgency: There’s no need to react immediately. However, organisations should make sure that they are in the best condition to migrate later. The following recommendations apply:
- Make sure they are up-to-date with the latest security guidelines (for instance migrate from TLS 1.2 to TLS 1.3)
- Favour crypto-agile solutions
- Predict performance of cryptographic algorithms on PQC update
- May start doing the risk-assessment and diagnosis steps
- Follow the standardisation efforts
Some organisations may want to act proactively and go further in applying the migration plan. Some reasons of which are:
Your organisation is about to make large infrastructure investments
Your organisation changes its activity or your organisation has new clients, which changes the risk assessment.
Either way, these steps will have to be taken at some point, so it is never completely useless to initiate diagnosis.
We mention this persona because it is important:
- For urgent adopters to know this group exists
- What urgents adopters can expect from this group
- To bring concrete advice to this group. E.g. Cryptography Experts should be ready to expect questions from customers, PQC migration related
- Urgent adopters may ask whether their products are quantum-safe or not, if not, when they expect their products to be quantum-safe. Urgent adopters may have to choose to switch to a different vendor for their cryptographic assets.
Type of organisations
- Standard Developing Organisations: These are organisations that define cryptographic standards and/or protocols on national or international level. Examples are NIST, ETSI, IETF, TLS, IEEE, ISO/IEC, TCG, ANSI, W3C and ENISA.
- Cryptographic Infrastructure Providers: Organisations that develop, implement or service cryptographic infrastructure on national or international level. Examples are FOX- Crypto, Logius, Compumatica, NXP, Brightsight, Technolution, Apache and MSSPs (Managed Security Service Providers) such as Cipher and SecurityHQ. for other companies to use.
- Providers of Cryptography Beyond Secure Communication: Organisations that develop, implement or service infrastructure based on cryptographic protocols which are used for purposes beyond secure communication. Examples of such protocols are blockchain, Zero-Knowledge Proofs, Multi-Party Computation and Idemix.