Experimenting together generates knowledge and reduces risk (PQC Benchmarking)

Quantum computers can contribute to new products and services, and can solve problems that are practically unsolvable for current computers. At the same time, an answer must be given to the security risks that the quantum era brings. “The migration to quantum safe cryptography (post quantum cryptography; PQC) is a huge undertaking. The fact that there are many unknowns and uncertainties surrounding the migration doesn’t help. For example, it is unclear what the impact of migration itself will be and we don’t know what the differences are between the various options, when used in practice. All this makes many organisations hesitate to start with post-quantum cryptography. Nevertheless, it is important to get started, because not starting will ultimately lead to increased risks,” says Manon de Vries.

Just do it

“With this PCSI project, we want to eliminate some of this uncertainty. How? By actually performing migrations. We gain migration knowledge by migrating and benchmarking common IT applications in a controlled test environment. In this way, we gain experience on the PQC migration and capture both the process and technical impact. Three of the participating PCSI partners migrate one of their applications within the project and test multiple PQC schemes. We performed the first proof-of-concept with ABN AMRO and then we started a pilot with Belastingdienst and ING. All these applications are common applications that together give useful comprehensive insight of the potential impact on the IT landscape,” De Vries explains.

“At ING we also saw the need to start experimenting with PQC and participating in this project seemed a good opportunity. It gives us practical experience in performing cryptographic migrations. We see where the challenges for our organisation lie and a project like this also helps to increase internal awareness. Moreover, although each partner has its own use case, we also learn a lot from each other’s findings,” Gamze Tillem adds.

Learning by doing

“We learned a lot. The project shows that we really need to do this together with our vendors. Because without good collaboration with vendors, you won’t get there. For example, you can’t get started if they don’t provide suitable algorithms. In addition, you need to make cryptography agile to be able to achieve successful migration. And it’s important to have support from management, so that enough time and effort can be invested in PQC. Make sure to get senior management on board. Luckily, that’s the case at ING. And the great thing about this project is that it’s something positive to show off, which only motivates the company more to prioritise PQC migration. After all, it’s easier to market success than risk. And at this early stage, vendors will also be more inclined to help and show that they already support PQC,” says Tillem.

What are results so far?

“There are results in various areas. For example, we obtain information about the difficulty of the migrations themselves, on performance of the new algorithms, about topics such as crypto agility (how did we manage that in practice?), technical aspects (did we encounter problems, were architectural changes necessary?) and general experiences (which people do you need, which pitfalls should you avoid?). This experiment helps organisations to clarify their questions and wishes, which they then can communicate to their vendors. This helps the vendors to know what to focus on to take the next step together. The knowledge we gain about the process and the impact of PQC migration, about algorithm differences and migration options in practice and pitfalls and bottlenecks, is interesting for every company with an IT component,” De Vries thinks.

“It was exciting, for example whether the algorithm would work. But it was nice to see that the performance impact of the migration was smaller than we had expected. We observed most challenges in the readiness of vendors, protocols and libraries. When you want to migrate an application to PQC algorithms, the protocols within that application should understand how to work with these new algorithms. We see that the standards around those protocols and libraries are still missing support in that sense. But we believe those will gain more importance in the coming years and the developments to speed up and vendors will be the front runners,” says Tillem.

International attention

The PQC Benchmarking project is receiving (inter)national attention. For example, De Vries and Tillem are giving various presentations in the Netherlands and abroad. De Vries: “I was surprised by the amount of attention we received, even during the proof-of-concept phase. I think that indicates that there is a great need for practical tips in the field of PQC migration. There is interest from both government and companies that want to contribute and collaborate with us. In the coming period, we will see whether and how we can shape that in projects.”

Collaboration is key

“We are now busy working out the knowledge we have acquired and will then share it, catering to different perspectives. In addition to the presentations, we are writing various blogs. The first one, aimed at managers, will soon be online and versions will for IT architects, vendor management and programmers will follow. Because this collaboration and the results of the project are so valuable, we are also looking at possibilities for a follow-up project,” says De Vries.

“If there will be a follow-up, we would like to participate again, because this collaboration has helped us and brought us a lot. With a small group of enthusiastic people, we have been able to achieve much more than I had anticipated. It helps that the parties involved want to share their knowledge and that there is no competition. And that is how it should be; cybersecurity is not a subject to compete on. After all, we all have the same goal. PQC is an important subject. Considering the recommended timelines, we should be mainly ready with the transition by 2030. If we want to achieve that, we need to start now. It is time to get our hands dirty and find out where the bottlenecks are,” Tillem emphasises.

“It would help if there were strict deadlines for migration in the Netherlands and Europe. That would help to encourage organisations to take action. We may still encounter some technical challenges and there will have to be an EU-wide consensus on where to focus on (which algorithms, for example). In addition, we will still have to invest heavily in knowledge development. Although we have already made quite a lot of progress in that area and we are doing well in Europe. If we want to make further progress, working together is the key. Experimenting together within a project like this removes the risk, provides us with knowledge and exposes pitfalls. Let’s get started together!”, De Vries concludes.

Images: Manon de Vries & Gamze Tillem