Final draft
ETSI EG 203 310 V0.0.1 (2015-01)
ETSI GUIDE
CYBER;
Post Quantum Computing Impact on ICT Systems;
Business Continuity and Algorithm Selection

or [Release #]
2
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Reference
<Workitem>
Keywords
<keywords>
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-préfecture de Grasse (06) N° 7803/88
Important notice
The present document can be downloaded from:
http://www.etsi.org
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute yyyy.
All rights reserved.
DECTTM, PLUGTESTSTM, UMTSTM and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
3GPPTM and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
or [Release #]
3
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Reproduction is only permitted for the purpose of standardization work undertaken within ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
ETSI
or [Release #]
4
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Contents
Intellectual Property Rights ................................................................................................................................ 5
Foreword............................................................................................................................................................. 5
Modal verbs terminology ................................................................................................................................... 5
1
Scope ............................................................................................................................................................ 6
2
References .................................................................................................................................................... 6
2.1
2.2
3
3.1
3.2
Normative references ................................................................................................................................................ 6
Informative references .............................................................................................................................................. 6
Definitions, symbols and abbreviations ....................................................................................................... 6
Definitions ................................................................................................................................................................ 6
Abbreviations ............................................................................................................................................................ 6
4
Outlining the problem .................................................................................................................................. 7
5
Business continuity considerations .............................................................................................................. 7
5.1
5.2
5.3
5.4
5.5
Overview ................................................................................................................................................................... 7
Existing standards (ISO 22301) ................................................................................................................................ 7
Algorithm change ...................................................................................................................................................... 8
Redistribution of symmetric keys ............................................................................................................................. 8
Redistribution of asymmetric public keys and certificates........................................................................................ 8
Annex A: Overview of Quantum Computing ................................................................................................ 9
Annex B: Shor’s algorithm ............................................................................................................................ 10
Annex C: Grover’s algorithm........................................................................................................................ 11
Annex E: Bibliography................................................................................................................................... 12
Annex F: Change History .............................................................................................................................. 13
History .............................................................................................................................................................. 14
ETSI
or [Release #]
5
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This final draft ETSI Guide (EG) has been produced by ETSI Technical Committee CYBER, and is now submitted for
the ETSI standards Membership Approval Procedure.
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "may not", "need", "need not", "will",
"will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms
for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI
or [Release #]
1
6
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Scope
The present document addresses business continuity arising from the concern that quantum computing is likely to
invalidate the problems that lie at the heart of both RSA and ECC asymmetric cryptography. The present document
considers the transition to the post-quantum era of how to re-assert CAs in a PKI, the distribution of new algorithms,
and the distribution of new keys.
The current assumptions that underpin the security strength of RSA and ECC are that the solution to the prime
factoring, and the discrete logarithm problems are infeasible without prior knowledge. It has been widely suggested that
the application of quantum computing to these problems removes the assertion of infeasibility. Whilst it is not known
when quantum computing will arrive or how long it will be until the factorisation and discrete logarithm problems are
themselves solved the report will review the nature of the algorithms when subjected to QC attack and why they
become vulnerable.
2
References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE:
2.1
While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
Normative references
The following referenced documents are necessary for the application of the present document.
Not applicable.
2.2
Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1]
ISO 22301: “Societal security -- Business continuity management systems --- Requirements”
3
Definitions, symbols and abbreviations
3.1
Definitions
For the purposes of the present document, the [following] terms and definitions [given in ... and the following] apply:
Quantum computing:
Qubit: a unit of quantum information
3.2
Abbreviations
For the purposes of the present document, the [following] abbreviations [given in ... and the following] apply:
RSA
Rivest Shamir Adleman
ETSI
or [Release #]
4
7
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Outlining the problem
All cryptographic algorithms should be considered to have a finite lifetime, where that lifetime is determined in part by
advances in cryptanalysis, by advances in computing, and by advances in the underlying mathematical knowledge that
underpins cryptology. In the domain of quantum computing there is a step change in the way that computing attacks on
cryptographic algorithms will occur. Annex A summarises quantum computing, whilst Annexes B and C review the
Shor and Grover algorithms and the means by which they impact existing cryptographic algorithms.
In brief if the promise of quantum computing holds true then the following impacts will be immediate on the
assumption that the existence of viable quantum computing resources will be used against cryptographic deployments:

Symmetric cryptographic strength will be halved, e.g. AES with 128 bit keys giving 128 bit strength will be
reduced to 64 bit strength (in other words to retain 128 bit security will require to implement 256 bit keys)

Elliptical curve cryptography will offer no security

RSA based public key cryptography will offer no security

The Diffie-Helman-Merkle key agreement protocol will offer no security.
There is wide speculation on when quantum computing will be viable and whilst there is no consistency in forecasts it is
reasonable to assume that quantum computers will become viable within the forecast lifetime of current cryptographic
keys and algorithms.
Respected professionals in the field have speculated on the timeline as below.
Professors Johannes Buchmann of TUD, Jintai Ding of UoC, "Post-Quantum Cryptography", Second International
Workshop, PQCrypto 2008: “Some physicists predicted that within the next 10 to 20 years quantum computers will be
built that are sufficiently powerful to implement Shor’s ideas and to break all existing public key schemes. Thus we need
to look ahead to a future of quantum computers, and we need to prepare the cryptographic world for that future.”
Prof Seth Lloyd of MIT, MIT Review 2008: “My colleagues at MIT and I have been building simple quantum
computers and executing quantum algorithms since 1996, as have other scientists around the world. Quantum
computers work as promised. If they can be scaled up, to thousands or tens of thousands of qubits from their current
size of a dozen or so, watch out!”
Prof. Johannes Buchmann, et al, “Post-Quantum Signatures”, Oct 2004, Technische Universität Darmstadt: “There is a
good chance that large quantum computers can be built within the next 20 years. This would be a nightmare for IT
security if there are no fully developed, implemented, and standardized post-quantum signature schemes.”
From this small sample it can be predicted that viable quantum computing will be added to the arsenal of cryptanalysts
in or around 2030.
The number of qubits required to make a meaningful attack on cryptosystems is still significant. Most commentators
suggest that if the key length is L that between L and L2 qubit machines are required.
5
Business continuity considerations
5.1
Overview
5.2
Existing standards (ISO 22301)
ETSI
or [Release #]
5.3
8
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Algorithm change
Refer here to the about to be formed ISG on Quantum Cryptography
5.4
Redistribution of symmetric keys
5.5
Redistribution of asymmetric public keys and certificates
ETSI
or [Release #]
9
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Annex A:
Overview of Quantum Computing
Contrast with normal binary operations:
A bit x can have only 2 states {1,0} and prior to examination all other things being equal the probability of either state
is 0.5.
In contrast a quantum state has a number of values between the end points of 1 and 0 and the sum of the squares of the
probabilities of all potential values has to be 1. Furthermore all states in quantum examination are represented as
complex numbers.
…
ETSI
or [Release #]
10
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Annex B:
Shor’s algorithm
Shor’s algorithm solves the following problem: Given an integer N, find its prime factors.
The security of the RSA algorithm is based on the assumption that factoring large numbers is computationally
infeasible. So far as is known, this assumption is valid for classical (non-quantum) computers; no classical algorithm is
known that can factor in polynomial time, whereas a quantum computer claims to solve this problem in polynomial
time. In other words applying Shor’s algorithm which solves the problem underpinning RSA in polynomial time the
security of RSA is defeated as the effort in time to break it is the same as the time to perform a normal RSA function.
ETSI
or [Release #]
11
Annex C:
Grover’s algorithm
<Text>.
ETSI
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
or [Release #]
12
Annex E:
Bibliography
<Publication>: "<Title>".
OR

<Publication>: "<Title>".
ETSI
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
or [Release #]
13
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
Annex F:
Change History
Date
Version
Information about changes
ETSI
or [Release #]
14
Final draft ETSI EG 203 310 V0.0.1 (2015-01)
History
Document history
0.0.1
January 2015
Table of Contents and initial scope clause
ETSI