Managing the Migration to Post-Quantum-Cryptography
Cryptographically relevant quantum computers (CRQC) are presumably able to break today's prevalent classic cryptographic algorithms. Protocols and schemes based on these algorithms would become insecure if such CRQCs would become available. Although it is not exactly known, whether this will actually happen, organizations (and the IT society) have to plan on migrating to quantum-resilient cryptographic measures, also known as Post-Quantum Cryptography (PQC). However, migrating IT systems and applications in organizations to support and integrate new software components is a difficult task. There exists to the best of our knowledge no generalized approach to manage such a complex migration for cryptography used in IT systems. We present a process for managing the migration from classic cryptography to PQC. Our solution is based on best practices, challenges, and problems derived from established software migration approaches. Compared to existing approaches, our proposal provides a means to help organizations migrate to PQC in a manageable manner and maintain crypto-agility. Thus, our process does not only serve as a framework for a one-time adaptation but also as a blueprint for organizing crypto-agile IT systems.
READ FULL TEXT