Migration to quantum-safe cryptography: about making decisions on when, what and how to migrate to a quantum-safe situation

Globally, great effort is being put into building a quantum computer. Quantum computers are anticipated to outperform conventional (super)computers in solving mathematical problems that lie at the foundation of commonly used cryptosystems. An efficient algorithm to solve the problem of the factorisation of large integers, for example, renders the RSA cryptosystem insecure and, for this reason, quantum computers form a very serious threat against this widely used cryptosystem. Similar conclusions can be drawn for many other cryptosystems that are currently deployed. The advent of a quantum computer will therefore have an enormous impact on cryptography, whereby the migration to quantum-safe solutions is inevitable. TNO has drawn up this report to assist organisations in making decisions on when, what and how to migrate to a quantum-safe situation. Quantum computers already exist today. The existing technology is, however, not yet powerful enough to break cryptography. Although it is extremely difficult to predict future technological developments, some leading experts estimate that there is a likelihood of 50% or more that RSA-2048 will be broken by a quantum computer in 15 years’ time; see [GRI19]. Events that will be useful in monitoring the advances in quantum computing are the improvements in the quality of quantum gates and in error correction on quantum bits along with so-called quantum supremacy, i.e. the quantum computer actually solving a problem faster than a classical computer. Besides the technological developments, two additional factors play an important role in determining the urgency of mitigating this threat. First, one must determine how long information must remain private. In particular, if an attacker is only capable of decrypting private information tomorrow, it does not mean that our IT infrastructure is secure today; with a store-now-decrypt-later attack the information will still get compromised. Second, migrating an IT infrastructure is a complex task that takes time. All in all, even though the threat of a quantum computer may still be more than a decade away, action is already required today.