This is a follow-up on an article previously published by the ECSG, Quantum computing and the threat to card payment cryptography. It takes into account the developments made by the card payment cryptographic community in the last year.
- EMVCo have released their initial Elliptic Curve Cryptography (ECC) specifications for contact transactions, which will be complemented by a second set of specifications to secure contactless transactions, using a secure channel between the card and the terminal established using an ECC protocol. This topic will be added to the ECSG Volume in the form of a Bulletin.
- The ECSG has continued technical efforts to evaluate the relevance for the European card payments industry of the quantum-resistant (or post-quantum) algorithms contest by the National Institute of Standards and Technology (NIST). The NIST has released the list of post-quantum crypto-algorithms to be standardised. They intend to counter future threats coming from the development of commercial quantum-computers. With that respect, the challenge is whether the state-of-the-art in card technology features the sufficient computing resources to store and execute post-quantum cryptographic algorithms.
- The ECSG has also reviewed in detail the positions on migration to stronger cryptography released by different National Security Agencies. The migration of existing systems to post-quantum crypto-algorithms pre-selected by NIST is still considered premature. In the meantime, a progressive transition using hybrid approaches is evaluated as a mix of classical and post-quantum cryptographic methods.
The ECSG will continue its investigation effort for these technological challenges, so stay tuned to keep being updated on this important topic.
