The Question Mark

Quantum computers have been gaining traction since recent years. What we’re seeing in the technology field is that there are divided opinions on whether to act upon the possible threat today. Hence, some organisations are waiting for NIST and the standardization to be settled further before proceeding, while other organisations are taking actions already and another group that chooses to ignore it.

One of the core questions you might wonder as organisation is:

Is it a realistic threat we should act upon today?

There are already three key reasons why organisations should identify and start working on the migration to PQC now already:

  1. Sensitive information is at risk of being intercepted and stored now and decrypted in the future with a quantum computer. Such an attack is called a store-now-decrypt-later attack. There are serious suspi- cions that this harvesting of encrypted data is already taking place. Thus, data which needs to remain protected for a long time is already at risk of being decrypted before the end of this confidentiality period.
  2. Long-lived systems and critical infrastructures developed and deployed now are very hard or even impos- sible to update to PQC later on. Even if it is possible to upgrade the software running on these systems, PQC requires heavier machinery to function, which might be impossible to replace once the system is deployed.
  3. Updating or replacing cryptographic infrastructure to post-quantum alternatives is a very cumbersome and resource-consuming task. Judging from previous migrations, it is expected that updating legacy systems will require a lot of planning and preparation. As an example, it took over five years to migrate from SHA-1 to SHA-256 for all organisations, vendors, and other parties even after the specifications and implementations were already available.

If you fall under one of these three cases - the next thing you will need is a migration framework.

The migration framework, and the migration plan that documents it, comprises the following three stages:

  • Inventory compilation
  • Preparation of the migration plan
  • Migration execution

To read more about the migration framework - visit Migration Framework.

Note: the Migration Framework contents are from The PQC Migration Handbook by the TNO, CWI and AIVD.