What you need to know about Quantum-Safe Cryptography for Mobile Networks

On February 22, 2024, GSMA release its report on "Post Quantum Cryptography – Guidelines for Telecom Use Cases" that analyses the impact of the adoption of quantum-safe cryptography and associated challenges.

The transition to quantum-safe cryptography is a critical and complex process that challenges existing security frameworks in various telecommunications use cases. As demonstrated across the diverse set of scenarios presented in the report from securing mobile communications to enterprise data and IoT devices, the impact of quantum computing on cryptographic practices necessitates a proactive and strategic approach to migration.

The cryptographic inventories and analyses provided highlight that both symmetric and asymmetric cryptographic algorithms, extensively used for securing data at rest and in transit, as well as for authentication and identity management, are vulnerable in the quantum era. While symmetric cryptographic methods like AES-128 may require an increase in key length to withstand potential quantum computational attacks, asymmetric algorithms, notably those based on the difficulty of factoring large numbers or the discrete logarithm problem, will require a complete transition to quantum-resistant alternatives.

Migration Strategies & Early Preparation

The migration strategies discussed in this work emphasize the importance of crypto-agility, enabling systems to adapt to new cryptographic standards efficiently. This is particularly vital for systems with long lifecycle or those managing data with long-lived confidentiality needs. Hybrid schemes, which combine quantum-safe algorithms with current standards, offer a transitional solution. However, these schemes introduce additional considerations regarding computational overheads, compatibility, and the need for updating protocols and certificates.

The implementation roadmap for transitioning to quantum-safe cryptography highlights the necessity for early testing, vendor cooperation, and standards development.

These steps are crucial to identify potential performance bottlenecks, compatibility issues, and to ensure a seamless migration process. Collaboration among stakeholders—telecom operators, equipment manufacturers, software vendors, standards bodies, and regulatory authorities—is essential to address the challenges presented by the quantum computing era effectively.

An important aspect to consider when dealing with legacy systems is that, in practice, some current systems may not be directly upgradable to quantum-safe standards due to technical or economic constraints. In such cases, risk management strategies, including data minimization, segmentation of sensitive information, and the use of secure intermediaries, can mitigate potential vulnerabilities in the interim period.

Last but not least, given the pervasive role of PKI in securing telecommunications infrastructure, the transition to quantum-safe PKI systems is paramount. This involves not only adopting quantum-resistant algorithms for digital signatures and key establishment but also ensuring that the PKI infrastructure can manage and distribute these new cryptographic assets. Solutions such as hybrid or composite cryptography or quantum-safe symmetric cryptography could provide a safe interim solution and allow for early deployment and testing of quantum-safe solutions without compromising today's level of security.

Collaborative Long-Term Planning

Similarly to the work we initiated in the broadband industry around the transition to quantum-safe cryptography for protocols, specifications, and devices, the telecommunications sector must engage in collaborative long-term planning to ensure a secure transition to quantum-safe cryptography. The suggested activities include:

• A detailed cryptographic inventory and risk assessment tailored to the specific needs and constraints of each telecommunication use case.
• The development and adoption of quantum-safe standards and testing frameworks to guide the industry’s transition.
• Investment in research and development to address the technical challenges associated with implementing quantum-safe algorithms on constrained devices, ensuring that these solutions are not only secure but also practical in terms of performance and cost.
• Engagement with the broader security and cryptography community to share insights, tools, and best practices for quantum-safe migration, leveraging open-source projects and collaborative platforms to accelerate progress.
• Educational initiatives to raise awareness about quantum threats and the importance of early preparation among all stakeholders, including employees, customers, and partners. This includes training for technical teams on new cryptographic methods and the implications of quantum computing on security.
• Regulatory advocacy to ensure that the legal and compliance frameworks are aligned with the technological advancements in quantum computing and cryptography, facilitating a coherent industry-wide transition.

Quantum-Safe Adoption Around the World

The adoption and integration of Post Quantum Cryptography (PQC) into national and global telecommunications systems highlight a proactive global response to the emergent threats posed by quantum computing. The strategic roadmap for transitioning to PQC varies significantly across countries, illustrating diverse approaches informed by national security priorities, technological readiness, and international collaboration.

Countries like the United States have laid out a comprehensive framework extending into the next decade, emphasizing the development of federal guidelines, fostering public-private partnerships, and securing critical infrastructure. European Union initiatives reflect a coordinated effort to harness collective expertise, emphasizing standardization, risk assessment, and the deployment of quantum-resistant cryptographic modalities across member states. Nations such as Australia and Canada have projected early adoption phases, emphasizing planning, risk mitigation, and the implementation of pre-standardized PQC solutions.

In contrast, nations like China and South Korea are focusing on homegrown cryptographic research and competition, aiming to develop unique PQC solutions while keeping an eye on global standardization efforts. Japan's approach, which includes both domestic initiatives and active participation in international standardization, mirrors a blend of national interest and global cooperation.

National Roadmaps

The adoption timelines for quantum-safe solutions vary significantly across different countries, reflecting each nation's strategic priorities, technological capabilities, and existing cybersecurity frameworks. Here's a short summary of the initiatives and timelines for quantum-safe adoption in key areas of the world:

• United States: The US has laid a detailed roadmap extending from 2023 to 2033 for the implementation of Post Quantum Cryptography (PQC). This broad timeline indicates a thorough, phased approach towards ensuring quantum safety across federal and non-federal entities.
• European Commission (EU): While specific timelines aren't provided for the complete transition to PQC, the European Commission, through ENISA, has emphasized early planning and mitigation efforts. The launch of collective risk assessment in 2023 highlights an ongoing process with a focus on gradual integration.
• Japan: Japan's strategy involves monitoring the NIST process and beginning planning and initial implementation steps. While a specific finalization date for PQC adoption isn't indicated, Japan's active involvement in quantum computing R&D and standardization efforts suggests a balanced timeline aligned with international developments.
• Australia: Recommends that early adopters in the commercial sector should begin implementing PQC between 2024-2027, with a push for broader implementation beyond 2027. This timeline indicates a proactive yet measured approach, giving entities time to adapt and align with emerging standards and best practices.
• China: While China has completed rounds of competitions for selecting PQC algorithms as of 2020, there is no official timeline released for the nationwide adoption of these algorithms. China's emphasis on developing its quantum-safe standards points toward a strategic but less publicly defined timeline for PQC integration.
• South Korea: South Korea's approach includes a PQC competition similar to China's, with the first round concluding in 2023 and the final round expected to conclude by the end of 2024. This suggests an aggressive stance toward developing and standardizing homegrown PQC algorithms, with potential adoption to follow shortly after the competition's conclusion.

It is easy to see from this global landscape of quantum-safe cryptography adoption how complex are the intricacies of preparing for a post-quantum world. It underscores a universal recognition of the threat posed by quantum computing to current cryptographic standards and the collective effort required to mitigate these risks. Moreover, it highlights the importance of global cooperation and knowledge sharing in developing and implementing quantum-resistant cryptographic solutions.

As we move toward a post-quantum era, it is evident that early planning, investment in research and development, strategic partnerships, and adherence to emerging global standards will be critical for a successful transition. These diverse timelines and strategies provide valuable insights into the complexities of achieving quantum readiness, emphasizing the need for agility, coordination, and a forward-looking approach to safeguard digital communications and data against future quantum threats.

Final Considerations

In conclusion, the transition to quantum-safe cryptography within the telecommunications sector is a monumental task that requires careful planning, cross-industry cooperation, and ongoing vigilance. The journey to quantum safety is not merely a technical upgrade but a strategic imperative that will ensure the integrity, confidentiality, and resilience of telecommunications infrastructure in the face of emerging quantum threats.

As the field of quantum computing continues to evolve, so too must our approaches to securing the digital landscape, protecting not only today's communications but safeguarding the foundation of tomorrow's interconnected world.

References

For a complete set of references, please refer to the original report from GSMA. Here we report a few of the most relevant references for further reading:

1. United States of America, Preparing for Post-Quantum Cryptography, CISA, October 2021 Preparing for Post-Quantum Cryptography Infographic https://www.dhs.gov/sites/default/files/publications/post-quantum_cryptography_infographic_october_2021_508.pdf
2. Commercial National Security Algorithm Suite 2.0, NSA, 7 September 2022, https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF (defense.gov)
3. Quantum Computing Cybersecurity Preparedness Act, Public Law, 21, December 2022, https://www.congress.gov/bill/117th-congress/house-bill/7535/text
4. Quantum-Readiness: Migration to Post-Quantum Cryptography, CISA/NSA/NIST, 21 August 2023 Quantum-Readiness: Migration to Post-Quantum Cryptography (cisa.gov), https://www.cisa.gov/sites/default/files/2023-08/Quantum%20Readiness_Final_CLEAR_508c%20%283%29.pdf
5. United Kingdom, Next steps in preparing for post-quantum cryptography, 03 Nov 2023, NCSC, https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography
6. Germany, BSI – Quantum Technologies and Quantum-Safe Cryptography (bund.de). https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quantentechnologien-und-post-quanten-kryptografie_node.html
7. Australia, Planning for Post-quantum Cryptography, Australian Cyber Security Center, May 2023, https://www.cyber.gov.au/sites/default/files/2023-05/PROTECT%20-%20Planning%20for%20Post-Quantum%20Cryptography%20%28May%202023%29.pdf