Secure Payments in the Quantum Era

A Technology Roadmap for the Post-Quantum Cryptography Transition in the Dutch Banking Sector

More Info
expand_more

Abstract

In 2019 a quantum computer performed a highly complex operation in 4 minutes, which would have taken the most powerful supercomputers of today around 10,000 years. Performing calculations unimaginably faster than is currently possible may bring great opportunities, but may implicate a threat to digital communications. Digital communication is kept secure through cryptography, which uses mathematical problems to protect sensitive information and communication from malicious acts of cybercrime. Cryptography is widely adopted across the cyberspace. The world’s fastest classical computers of today are unable to break cryptography’s underlying mathematical schemes, ensuring confidentiality and integrity of everyone’s data. However, it is predicted that future quantum computers could theoretically break current cryptography in just a few hours. The moment that a powerful enough quantum computer exists (called Y2Q) thus implicates that cryptography systems will become unusable as digital services are no longer secure. This could have catastrophic consequences for society’s critical digital infrastructures, such as those provided by Dutch banks. This problem is very relevant for banks, because of the sector’s abundance of sensitive data and information streams that rely on cryptography, as well as their critical role in society’s functionality (facilitating payments).
Because of the serious disruptions in critical financial infrastructures that the quantum threat could ignite, decision-makers within banks will be needing governing tools to mitigate risks. Adopting new quantum-resistant cryptographic algorithms, known as post-quantum-cryptography (PQC) is absolutely critical in facilitating safety and security from the quantum threat. However, there is currently little or no governance, or guidance, for the management of this transition towards PQC and guidance is urgently needed. The formulation of these guidance-measures is one of the main challenges regarding the transition towards security in the quantum-era. Therefore, this research focusses on ensuring the Dutch banking sector’s safety and security of its digital infrastructures, from the cryptography-related cyber threats posed by quantum computing technology – from not merely a technological perspective, but with a holistic approach, considering the involved socio-technical challenges. In order to provide guidance to decision-makers from Dutch banks, this thesis aims to answer the following research question:
How can the Dutch banking sector ensure the safety and security of its digital infrastructures, from the cryptography-related cyber threats posed by quantum computing technology?

In order to answer the main research question, the Technology Roadmap (TRM) framework will be used. This framework provides the vital link between a first idea phase (i.e., banks’ digital infrastructures face a threat from quantum computing technologies) and the concrete implementation phase (i.e., how do we ensure protection from this threat?). The TRM is a diagram which consists of features, services, systems, resources, and drivers in relation with one another, that together facilitate an overview of what is required for the banks to become quantum-safe. Constructing this roadmap required three main methods:
(1) Exploratory research to identify in which parts of the banks’ processes and operations the vulnerabilities to the quantum threat are the highest. This included describing key concepts within cryptography, PQC-developments, and banking services, as well as stakeholder- and dependency-mapping of the Dutch banking environment.
(2) Semi-structured interviews with security architects, payment security specialists, and cryptography specialists from Dutch banks. Herein the perceptions of the Dutch banks on the impact, challenges, resources, capabilities, preparedness, and governance were obtained.
(3) TRM development based on thematic analysis of qualitative data derived from semi-structured interviews in which the perceptions were translated into elements fit for the TRM.
Lastly, the TRM was validated and revised by presenting it to experts and asking for critique, which enabled the final TRM to be developed. after which conclusions and recommendations could be drawn up.
The core banking services were analyzed in terms of the role that cryptography plays to ensure the security of these services, which helped to identify in which parts of the banks’ processes and operations the vulnerabilities to the quantum threat are the highest. The exploratory analysis identified the critical processes that entail the certain infrastructures that need to transition towards PQC. These being within the online payment process, the physical card transaction process, and the ATM transaction process. Within these processes the main vulnerabilities lie in: data channels through external public networks and service providers relating to payment gateways, payment processors, local store webservers, online merchant webservers, card association networks and Point-of-Sale (PoS)-terminals. Less vulnerable infrastructures, due to their primary use of symmetric cryptography, are: ATM networks, internal storage and communication infrastructures, inter-bank data exchange, and ATM controllers.
Through combining these insights with findings from the thematic analysis of perceptions derived from the semi-structured interviews, the TRM was developed which presented a 3-phase transition plan that aims to ensure the Dutch banking sector safety and security of its digital infrastructures from cryptography-related cyber threats posed by quantum computing technology. Phase 1 of this transition plan entails the development of a response plan for a potential privacy breach and the development of central cryptographic inventory, through management priority, internal alignment, and experimentation with to-be-standardized PQC algorithms. After PQC algorithms have been standardized, Phase 2 involves the adoption of PQC algorithms in online payment networks, requiring banks to draw up a PQC requirement list for vendors and external service providers. With a hardware replacement strategy in place, Phase 3 entails the replacement of all relevant hardware related to payment processes (payment cards, PoS-terminals, and ATM controllers), updating less prioritized software and network infrastructures, and overcoming technical challenges related to PQC algorithms' larger key-sizes. It is important to note that the implementation of PQC is not a one-time event, but rather an ongoing, ever-evolving, and uncertain process. The continuous development of quantum computing technology means that banks must remain vigilant and adaptable to stay ahead of potential threats, and may need to accelerate certain phases within the transition on a relatively short notice. Additionally, the success of this transition relies heavily on organizational awareness, as well as close collaboration between various stakeholders, vendors, service providers, regulators, and other financial service organizations.

Based on this conclusion, this research has made several recommendations to the Dutch banking sector:

Accomplish management priority. Management priority is crucial for allocating resources to execute the first steps that have to be taken to ensure quantum-safety. Therefore, the banking sector should shift the focus of management toward addressing the quantum threat and transitioning towards post-quantum cryptography (PQC) as a top priority, integrating quantum-readiness into the key strategic goals of the bank by means of organizational awareness. Organizational awareness can be created through workshops, seminars, and events that are aimed at educating management on the business implications of the quantum threat, as well as presenting them with solutions on addressing this threat.
Execute initial risk-free actions. Banks can already take certain risk-free actions in preparation for the PQC-transition, which will strengthen the preparedness of the banks. These actions include:
- Developing a privacy breach response plan
- Developing a centralized cryptographic inventory
- Doubling key-lengths for symmetric-key cryptography algorithms
- Developing a hardware replacement strategy
Extend continuous collaborative research to PQC. Dutch banks should proactively utilize their existing collaborative structures with other vendors, service providers, regulators, and other financial service organizations., to share their experiences and jointly develop strategies for addressing the quantum threat. This will benefit the Dutch financial market as a whole, as sharing experiences with executing the risk-free actions or experimenting with PQC-algorithms is highly relevant for creating a comprehensive understanding of the practical implications and technical challenges associated with becoming quantum-safe.

Files