By embedding principles of cryptographic agility and defence in depth, financial institutions can better address unforeseen threats and safeguard trust in the financial system.

The rapid advancement of quantum computing presents a significant challenge to the security foundations of the global financial system. The integrity and stability of the financial system rely fundamentally on the security provided by current cryptographic methods. What makes quantum technology so potentially lethal is that this trust is inextricably tied to cryptography. This cuts to the very core of public trust in financial services, and it will only take one mistake to lose it.

While quantum computers offer opportunities for innovation, they also pose a threat because of their potential to break the encryption methods widely used today. The emergence of a cryptographically relevant quantum computer (CRQC) – one capable of compromising current public key cryptography – is uncertain, but experts anticipate it could happen within the next decade or 15 years if current trends continue.

This threat is more immediate than the timeline for the development of a CRQC suggests. The concept of “harvest now, decrypt later” (HNDL) means that encrypted data collected today can be stored and decrypted in the future once quantum computers are available. This scenario highlights the urgency for financial institutions to initiate preparations now.

The Role of Cryptography in Finance

Cryptography is essential for the financial system, ensuring confidentiality, integrity, authentication, and non-repudiation of transactions and data. Public key algorithms such as RSA and elliptic curve cryptography (ECC), which are widely used for authentication and establishing secure communication channels, are particularly vulnerable to quantum attacks.

A quantum computer running Shor’s algorithm can break these public key algorithms efficiently. While symmetric key cryptography (like AES) is less vulnerable, needing only an increase in key size to mitigate the threat from Grover’s algorithm, the reliance on asymmetric cryptography makes financial systems susceptible to compromise.

Post-Quantum Cryptography (PQC) as the Solution

To address this existential threat, the cryptographic community has been developing quantum-resistant solutions for over a decade. While quantum key distribution (QKD) is still in the research and development stage and faces infrastructure and cost challenges, post-quantum cryptography (PQC) is the most viable and readily available solution for the near term.

PQC algorithms can run on existing classical computers and are based on mathematical problems that are difficult for both classical and quantum computers to solve. The National Institute of Standards and Technology (NIST) has standardized initial PQC algorithms, with guidelines for transition released in November 2024.

The Complexity of Quantum Resilience

Achieving quantum resilience, much like implementing AI, is not a simple matter of adding a single program to a bank’s existing technology stack. Instead, it demands a thorough audit of digital systems to understand how to secure them effectively.

The depth of this audit is extensive, encompassing virtually every part of our digital world. The list of systems that must be examined includes smart cards, routers, switches, firmware in IoT devices, cryptographic kernels within operating systems, file systems, network services, VPNs, browsers, email, code databases, and all other databases.

The PQC Migration Challenge

Transitioning to PQC is not a simple “drop-in replacement” of current algorithms. PQC algorithms often require significantly more computational resources, including memory and processing power, compared to traditional cryptography. This poses challenges, especially for systems with limited resources, such as point-of-sale systems.

Due to the complexity of migration and the potential for implementation challenges, financial institutions should adopt best practices, including:

• Defence in depth: Implementing layered security defences with diverse countermeasures to mitigate risks.
• Cryptographic agility: The ability to rapidly and efficiently adapt or switch cryptographic algorithms in response to emerging threats or technological advancements.
• Hybrid approaches: Combining traditional cryptography with new quantum-safe techniques during the transition period.

A Roadmap for Quantum-Readiness

The interconnected nature of the financial system necessitates a coordinated and proactive approach to quantum readiness. A strategic roadmap for financial institutions involves three critical phases:

1. Awareness and Evaluation: Defining quantum readiness, assessing risks, and educating stakeholders. This includes establishing governance structures and setting up dedicated cross-functional teams.
2. Planning the Migration: Identifying and prioritizing critical systems and sensitive data, developing a cryptographic inventory, and adapting risk management frameworks. Institutions must also coordinate with third-party vendors and define clear timelines and milestones.
3. Executing Implementation: Thoroughly testing new PQC implementations, deploying quantum-safe solutions, and continuously monitoring system health.

Migration to quantum-safe systems is an opportunity to build more resilient infrastructures. By embedding principles of cryptographic agility and defence in depth, financial institutions can better address unforeseen threats and safeguard trust in the financial system. The time to act is now.

A Collaborative Effort

Compounding the difficulty of this effort is the fact that changes cannot be implemented unilaterally. Migration to quantum-safe cryptography requires agreements between digital counterparties. While central banks can offer support and guidance, there is a significant amount of coordination that individual banks must undertake.

The transition to a quantum-safe financial system is a complex undertaking. Cryptography experts and cybersecurity professionals at CREAPLUS can provide help and support with the migration to PQC in your IT systems.