ETSI EG 203 310 V1.1.1 (2016-06)

Final draft ETSI EG 203 310 V1.0.0 (2016-04)






ETSI GUIDE
CYBER;
Post Quantum Computing Impact on ICT Systems;
Recommendations on Business Continuity and
Algorithm Selection

---------------------- Page: 1 ----------------------
2 Final draft ETSI EG 203 310 V1.0.0 (2016-04)



Reference
DEG/CYBER-0008
Keywords
algorithm, quantum cryptography, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 Final draft ETSI EG 203 310 V1.0.0 (2016-04)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Definitions and abbreviations . 6
3.1 Definitions . 6
3.2 Abbreviations . 6
4 Outlining the problem . 6
5 Business continuity considerations . 7
5.1 Overview . 7
5.2 Existing standards (ISO 22301) . 8
5.3 Algorithm change . 9
5.4 Redistribution of symmetric keys . 10
5.5 Redistribution of asymmetric public keys and certificates . 10
5.6 Impact on EU Qualified Certificates in regulation 910/2014/EU . 10
Annex A: Overview of Quantum Computing . 11
Annex B: Shor's algorithm . 12
Annex C: Grover's algorithm. 13
History . 14


ETSI

---------------------- Page: 3 ----------------------
4 Final draft ETSI EG 203 310 V1.0.0 (2016-04)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This final draft ETSI Guide (EG) has been produced by ETSI Technical Committee Cyber Security (CYBER), and is
now submitted for the ETSI standards Membership Approval Procedure.
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

ETSI

---------------------- Page: 4 ----------------------
5 Final draft ETSI EG 203 310 V1.0.0 (2016-04)
1 Scope
The present document addresses business continuity arising from the concern that Quantum Computing (QC) is likely
to invalidate the problems that lie at the heart of both RSA and ECC asymmetric cryptography. The present document
considers the transition to the post-quantum era of how to re-assert CAs in a PKI, the distribution of new algorithms,
and the distribution of new keys, and advises that business continuity planning addresses the impact of QC on ICT.
The current assumptions that underpin the security strength of RSA and ECC are that the solution to the prime
factoring, and the discrete logarithm problems are infeasible without prior knowledge. It has been widely suggested that
the application of quantum computing to these problems removes the assertion of infeasibility. Whilst it is not known
when quantum computing will arrive or how long it will be until the factorisation and discrete logarithm problems are
themselves solved the present document reviews the nature of the algorithms when subjected to QC attack and why they
become vulnerable.
The present document applies to ETSI TBs undertaking work in the selection and definition of cryptographic
algorithms, and to non-ETSI members who have deployed cryptographic algorithms and need to be aware of the impact
of QC on ICT.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
Not applicable.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ISO 22301: "Societal security -- Business continuity management systems -- Requirements".
[i.2] ETSI White Paper Quantum Safe Cryptography V1.0.0 (2014-10): "Quantum Safe Cryptography
and Security; An introduction, benefits, enablers and challenges"; ISBN 979-10-92620-03-0.
[i.3] ETSI ISG QSC work programme.
NOTE: Available at https://portal.etsi.org/tb.aspx?tbid=836&SubTB=836.
ETSI

---------------------- Page: 5 ----------------------
6 Final draft ETSI EG 203 310 V1.0.0 (2016-04)
[i.4] IANA: "TLS Register of cipher suites".
NOTE: Available at (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4).
[i.5] ISO 27000 series: "Information technology -- Security techniques -- Information security
management systems".
NOTE: ISO 27000 is a multipart standard. The reference is to the body of work prepared by ISO/IEC JTC1 SC27
in the domain of Information security management systems.
[i.6] Auguste Kerckhoffs: "La cryptographie militaire" Journal des sciences militaires, vol. IX,
pp. 5-83, January 1883, pp. 161-191, February 1883.
[i.7] Biography Michele Mosca.
NOTE: Available at https://services.iqc.uwaterloo.ca/people/profile/mmosca/.
[i.8] Professors Johannes Buchmann of TUD, Jintai Ding of UoC: "Post-Quantum Cryptography",
Second International Workshop, PQCrypto 2008.
[i.9] Prof Seth Lloyd of MIT, MIT Review 2008.
[i.10] Prof. Johannes Buchmann, et al.: "Post-Quantum Signatures", Oct 2004, Technische Universität
Darmstadt.
[i.11] Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic
identification and trust services for electronic transactions in the internal market and repealing
Directive 1999/93/EC.
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in the ETSI White Paper Quantum Safe
Cryptography [i.2] apply.
3.2 Abbreviations
For the purposes of the present document, the abbreviations given in the ETSI White Paper Quantum Safe
Cryptography [i.2] apply.
4 Outlining the problem
All cryptographic algorithms should be considered to have a finite lifetime, where that lifetime is determined in part by
advances in cryptanalysis, by advances in computing, and by advances in the underlying mathematical knowledge that
underpins cryptology. In the domain of quantum computing there is a step change in the way that computing attacks on
cryptographic algorithms will occur.
In brief if the promise of quantum computing holds true then the following impacts will be immediate on the
assumption that the existence of viable quantum computing resources will be used against cryptographic deployments:
• Symmetric cryptographic strength will be halved, e.g. AES with 128 bit keys giving 128 bit strength will be
reduced to 64 bit strength (in other words to retain 128 bit security will require to implement 256 bit keys).
• Elliptical curve cryptography will offer no security.
• RSA based public key cryptography will offer no security.
• The Diffie-Helman-Merkle key agreement protocol will offer no security.
ETSI

---------------------- Page: 6 ----------------------
7 Final draft ETSI EG 203 310 V1.0.0 (2016-04)
With the advent of realisable Quantum Computers everything that has been transmitted or stored and that has been
protected by one of the known to be vulnerable algorithms, or that will ever be stored or transmitted, will become
unprotected and thus vulnerable to public disclosure. Annex A summarises quantum computing, whilst Annexes B and
C review the Shor and Grover algorithms and the means by which they impact existing cryptographic algorithms.
There is wide speculation on when quantum computing will be viable and whilst there is no consistency in forecasts it is
reasonable to assume that quantum computers will become viable within the forecast lifetime of current cryptographic
keys and algorithms.
Respected professionals in the field have speculated on the timeline as below.
Professors Johannes Buchmann of TUD, Jintai Ding of UoC, "Post-Quantum Cryptography", Second International
Workshop, PQCrypto 2008 [i.8]: "Some physicists predicted that within the next 10 to 20 years quantum computers will
be built that are sufficiently powerful to implement Shor's ideas and to break all existing public key schemes. Thus we
need to look ahead to a future of quantum computers, and we need to prepare the cryptographic world for that future."
Prof Seth Lloyd of MIT, MIT Review 2008 [i.9]: "My colleagues at MIT and I have been building simple quantum
computers and executing quantum algorithms since 1996, as have other scientists around the world. Quantum
computers work as promised. If they can be scaled up, to thousands or tens of thousands of qubits from their current
size of a dozen or so, watch out!"
Prof. Johannes Buchmann, et al [i.10]: "Post-Quantum Signatures", Oct 2004, Technische Universität Darmstadt:
"There is a good chance that large quantum computers can be built within the next 20 years. This would be a nightmare
for IT security if there are no fully developed, implemented, and standardized post-quantum signature schemes."
From this small sample it can be predicted that viable quantum computing will be added to the arsenal of cryptanalysts
in or around 2030. However, research is rapid evolving in quantum computing and this timetable is more likely to
shrink than expand as the underlying physics problems of quantum computing are overcome and the further
development of QC becoming an engineering rather than a science problem.
The number of qubits required to make a meaningful attack on cryptosystems is still significant. Most commentators
2
suggest that if the key length is L that between L and L qubit machines are required. The state of the art in 2015 of a
true QC was less than 20 qubits.
The ETSI White Paper [i.2] suggests that Quantum safe communication techniques are not compatible with techniques
incumbent in products vulnerable to quantum attacks. In a well-ordered and cost efficient technology transition, there is
a period of time where the new products are gradually phased in and legacy products are phased out. Currently,
quantum safe and quantum vulnerable products can co-exist in a network; in some cases, there is time for a well-
ordered transition. However, the window of opportunity for orderly transition is shrinking and with the growing
maturity of QC research, for data that needs to be kept secret for decades into the future, the window for transitioning
may already be closed.
5 Business continuity considerations
5.1 Overview
A very simple equation outlines the extent of the problem of evolution to a QC safe deployment of cryptography:
• X = the number of years the public-key cryptography needs to remain unbroken.
• Y = the number of years it will take to replace the cu
...