How the Financial Sector Can Anticipate the Threats of Quantum Computing to Keep Payments Safe and Secure

Journal of Payments Strategy & Systems Volume 14 Number 2

How the financial sector can anticipate the threats of quantum computing to keep payments safe and secure Received (in revised form): 29th April, 2020 Oscar Covers* Senior Information Risk Consultant and Cybersecurity Analyst, Dutch Payments Association, The Netherlands Oscar Covers Marco Doeland** Manager Risk Management, Dutch Payments Association, The Netherlands

Oscar Covers is Senior Information Risk Abstract Consultant and Cybersecurity Analyst at the At the end of 2015, the Dutch General Intelli- Dutch Payments Association. He analyses gence and Security Service informed owners and ICT-related security risks for the Financial managers of vital infrastructure in the Nether- Institutes — Information Sharing and Anal- lands about the developments and threats ema- ysis Centre and, where necessary, coordi- nating from the advent of quantum computing. Marco Doeland nates the response. He chairs the European Dutch financial institutions have since started Cards Payments Association Security Working to monitor developments in quantum computing Group and participates in the working group and are seeking to understand the implications that maintains the international requirements for their interbank business processes. This paper for payment terminals. He is also a member looks at how banks and payment institutions of the board of advisors that advises the pay- can anticipate how quantum computing will ment card industry on issuing and maintaining evolve and respond accordingly, even though the international security standards used by developments remain ongoing. To gain and American Express, Discover, JCB, Mastercard maintain a good understanding, the Dutch and Visa. Payments Association brings together quantum computing experts and experts from financial Marco Doeland is Manager Risk Management institutions to discuss the impact of quantum at the Dutch Payments Association and the computing advancements on the industry. The Chief Information Security Officer of Currence. key deliverable is to offer an approach to deal- He is responsible for managing the shared ing with the threats associated with quantum computing, so that payment systems can continue Dutch Payments Association, interests with respect to the security and cyber PO Box 83073, security of the Dutch payment infrastruc- securely and undisturbed. As this paper will 1080AB tures, including online, cards, mobile, iDEAL discuss, this has resulted in a quantum Amsterdam, The Netherlands and iDIN. He is also Chairman of the Secu- readiness programme and seven so-called low- *E-mail: o.covers@ rity Task Force at the Dutch National Forum regret moves. betaalvereniging.nl on the Payment System and Chairman of the **E-mail: m.doeland@ Interbank Security Task Force. In addition, he betaalvereniging.nl is a member of the Dutch Financial Institutes Keywords: quantum computing, Journal of Payments Strategy & — Information Sharing and Analysis Centre post quantum cryptography, finan- Systems Vol. 14, No. 2 2020, pp. 147–156 (FI-ISAC), the European EU FI-ISAC and the cial sector, banks, cyber security, © Henry Stewart Publications, global FS-ISAC. payments 1750-1806

Page 147 Anticipating the threats of quantum computing to keep payments safe and secure

INTRODUCTION as a superposition of all possible states, so the Research into quantum computing is evolv- computation is performed on multiple states ing quickly.1,2 Quantum simulation and simultaneously; this is known as quantum quantum machine-learning algorithms can parallelism. Secondly, the input is pro- help find new medicines, elucidate reac- cessed using a series of quantum gates that tion mechanisms in complex chemical can create and process superposition states. systems, making it possible to mimic chem- A quantum gate is like a logical gate — a ical processes found in nature that are more basic operating circuit performing a logical efficient than the processes currently used in operation based on a small number of qubits the chemical industry, and so on. In short, leading to a result. Beside the gate opera- quantum technologies are expected to have tions, measuring the state of a qubits is also a profound impact on many of the world’s one of its functions. Measurements are often largest markets. an indispensable aid in the calculation phase. One area where quantum technologies Finally, a measurement is made of the qubits. pose a particular threat, however, is cryp- However, if the final state is a superposition, tography, as quantum computing makes the answer will not deliver a coherent result it much easier to retrieve corresponding as the collapse delivers an unpredictable out- cryptographic keys. While nobody knows come. In that case, the calculation can be exactly when this threat will actually man- repeated multiple times to determine the ifest, it is essential for the financial sector to result with the highest probability. understand the extent to which advances in While quantum computing offers new quantum computing affect the security of directions to solve computational problems, the core banking and payment services. To the quantum parallelism causes it to scale gain the required understanding, the Dutch up quickly. Adding one qubit doubles the Payments Association (DPA) is bringing computing capacity of the quantum com- together quantum computing experts and puter. Some known ‘hard problems’ are experts from financial institutions to discuss exponentially faster to solve with a quantum how advances in quantum computing may computer. This opens up new possibilities impact on the financial sector. for finding new chemical processes, new drugs and so on, but also weakens certain existing encryption algorithms, with clear WHY THE QUANTUM COMPUTER IS consequences for the encryption currently A THREAT used to secure data. It all starts with the information unit. The information unit of the classical computer is CURRENT ENCRYPTION, the ‘bit’. A bit has two states: zero (0) and OR COMMON CLASSICAL one (1). The quantum computer, however, CRYPTOGRAPHY uses a ‘qubit’ (quantum bit), which is in both states at the same time. This concept is Symmetric-key algorithms known as superposition. Another quantum The most common and well-known encryp- fact is that a qubit in a superposition can- tion method is the symmetric encryption or, not be observed directly. When the qubit is more accurately, symmetric-key encryption. measured it will ‘collapse’ into a 0 or 1 in an The symmetric-key algorithms use the same unpredictable way. As the information unit key for both encryption of plaintext and has different properties, quantum calcula- decryption of the encrypted text. This key, tions also follow a fundamentally different which is used to secure the data, is a secret approach. First, the input must be presented shared by the parties. Many secret writings

Page 148 Covers and Doeland

made by enthusiasts, such as Julius Caesar,3 public key, and that encrypted message can probably fall into the category of symmetric be decrypted only by using the receiver’s pri- encryption. vate key. This is a big advantage. Public-key Well-known symmetric-key algorithms algorithms do not need a secure channel for include the Data Encryption Standard the initial exchange of one or more secret (DES) and its successor, the Advanced keys between the communication parties. Encryption Standard (AES). DES dates The drawback is that it is computation- from the early 1970s and ought to have intensive, particularly in comparison with been replaced already, but the trick of symmetric-key algorithms. cycling through the algorithm three times Examples of asymmetric public-key with two or three different keys prolonged algorithms include RSA (an acronym of its life.4 Today, there are still many sys- the surnames of Ron Rivest, Adi Shamir tems that use triple DES. The current gold and Leonard Adleman), the digital signa- standard for symmetric-key algorithm is ture algorithm (DSA) and elliptic-curve AES.5 cryptography (ECC). The big advantage of symmetric encryption is that it is very fast; the disadvantage is the shared secret key. After all, if someone is Cryptographic hash functions able to discover this secret key, all encrypted Cryptographic hash functions are a spe- messages can be decrypted and read as well cial class. The hash function can be used to as manipulated and re-encrypted. Further- map data of arbitrary size to data of fixed more, in the case of multiple communication size. It is used to verify data integrity and is partners, a unique key is needed for each designed as a one-way function, which can- communication partner, which soon results not be reversed. in an untenable situation. So, symmetric-key Cryptographic hash functions are algorithms always lead to key distribution widely used not only to verify data concerns. integrity but also as building blocks to construct a digital signature or message Asymmetric public-key algorithm authentication code. They are also used (classical) for pseudorandom generation and key Asymmetric public-key algorithms dis- derivation. tinguish themselves by the fact that they Examples of cryptographic hash employ two keys that together form a single algorithms include the MD5 message- pair. What is encrypted with one key can be digest algorithm and secure hash algo- decrypted only by the associated key. This rithms (SHAs). SHAs are cryptographic makes it possible to make one key publicly hash functions published by the National known; after which anyone can use this Institute of Standards and Technology public key to encrypt a message for the (NIST). owner of the other key. In this case, the other key must be kept private to make sure that only the owner is able to decrypt Key distribution the message, hence this key is known as the Traditionally, a requirement of secure private key. communication between two parties is Based on the feature that what is encrypted that they first exchange key parts in a with a public key can be decrypted only by secure manner; for example, via a face- using the associated private key, any person to-face meeting. At the key ceremony, can encrypt a message using the receiver’s each party brings its key part in order to

Page 149 Anticipating the threats of quantum computing to keep payments safe and secure

derive one secret key. It is also common quantum algorithms have a high impact on to use multiple trusted couriers to deliver current classical cryptography: key parts in order to arrive at one key, 6 and so on. As discussed, the disadvantage ●● Shor’s algorithm, named after mathemati- of symmetric key cryptography is that cian Peter Shor, was formulated in 1994. both parties must have a shared common Compared with its classical counterparts, secret key. it has the potential to provide exponen- The Diffie-Hellman (DH) algorithm tial speedup of integer factorisation and provides a method of generating a shared related public-key primitives. By implica- secret between two people in such a way tion, it could be used to break almost any that the secret cannot be obtained by public-key algorithm that does not use observing the communication. For key extremely large keys. 7 exchange, the DH key exchange protocol ●● Grover’s algorithm, named after the com- is the de facto standard. Note, however, puter scientist Lov Kumar Grover was that DH is a non-authenticated key- formulated in 1996. This algorithm agreement protocol. Two parties who do finds, with high probability, the unique not know each other can jointly estab- input to a black box function that lish a shared secret key over an insecure produces a particular output value. Grover’s channel. This key can then be used to algorithm provides a quadratic speedup encrypt the next communication using over a classical computer algorithm. symmetric key encryption. The DH However, even quadratic speedup is key exchange is a public-key technol- considerable and can affect the security ogy which by itself is not an encryption levels of symmetrical encryption systems. algorithm. It is an asymmetric technology used to negotiate symmetric keys. IMPACT IN WORST-CASE SCENARIOS For payments, the aforementioned In the words of Daniel J. Bernstein, a lead- encryption algorithms are used for: ing academic in the field of post-quantum cryptography: ●● encryption of data; ●● exchange of encryption keys; ‘Nobody has figured out a way to apply ●● guaranteeing data integrity; and “Shor’s algorithm” — the quantum- ●● authenticity and nonrepudiation of trans- computer discrete-logarithm algorithm actions. that breaks RSA and DSA and ECDSA — to any of these systems. Another Traditionally, financial transactions are quantum algorithm, “Grover’s algorithm”, secured with symmetrical encryption for does have some applications to these performance reasons, but due to the advan- systems; but Grover’s algorithm is not as tages that asymmetrical encryption offers, shockingly fast as Shor’s algorithm, and current transactions also rely on asymmet- cryptographers can easily compensate for rical encryption. it by choosing somewhat larger key sizes’.8 In general, it can be stated that encryption raises a computational barrier. However, the According to a worst-case scenario, hard problems of classical cryptography are the current block ciphers can be made tailored to the current available computa- Grover-resilient by doubling the key tion power — some of the hard problems length. For an algorithm like AES this is of today turn out to be easily solvable with not a problem; for DES, however, this is a quantum computer. In this respect, two not possible. With regard to cryptographic

Page 150 Covers and Doeland

hash functions, the Grover algorithm seems channel. After all, an adversary can intercept to provide some non-trivial quadratic the communication, store the encrypted speedup. However, no problem arises when communication and wait patiently for the the output of the hash function is doubled. moment the encryption can be broken to Shor’s algorithm has the greatest impact decrypt the communication retroactively. on public-key algorithms, which can be This is exactly the challenge faced by gov- considered broken. ernments and embassies. The resources needed to implement the The question is: what encryption is still Grover or Shor algorithm to break cur- secure in the era of the quantum computer? rent cryptography systems, however, are For symmetric-key algorithms, the threat not yet available. To date, quantum com- can be mitigated by doubling the key length. puting does not yet constitute a threat to For public-key cryptographic algorithms, current protections. At the moment when other alternatives are needed. this finally happens, referred to as day z, there will be varying degrees of impact on some notable and popular kinds of NIST POST-QUANTUM cryptography. The difficulty of putting a CRYPTOGRAPHY STANDARDISATION date on that moment does not reduce the In April 2016, NIST published a report on impact of the inevitable consequences, post-quantum cryptography, stating that it but it may delay the prioritisation of anticipates quantum technology will ren- mitigation. der the commonly used RSA algorithm So, how to continue? Mosca’s theorem is insecure by 2030.10 As a result, a need to 9 helpful here. In brief: if x + y > z, then it is standardise quantum-secure cryptographic time to panic. Here: primitives arose. The efforts therefore focus on public-key cryptography, explicit digital ●● x is the security shelf life — how long the signatures and key encapsulation mecha- encryption algorithm will remain secure in nisms. In December 2016, NIST initiated combination with that key; this standardisation process by issuing a call ●● y is the migration time — the time needed for proposals. to migrate from the current encryption The academic world had already antic- solution to a secure encryption solution; ipated this. Even before 2005, many and researchers had begun investigating ●● z is the quantum computer, or another post-quantum cryptography (PQC). This method that breaks the aforementioned work received more attention after the cryptography primitive x. PQCrypto conference series, which started in 2006, and several workshops on quan- In other words, if the security shelf life of tum safe cryptography, organised by the the current encryption solution in use and European Telecommunications Standards the time to migrate to a secure solution Institute (ETSI) and the Institute for Quan- lie beyond the day z on which a quantum tum Computing. computer breaks the cryptography, then it is In the initial submission at the end of time to panic. 2017, NIST received 23 signature schemes Consequently, if data must be guaran- and 59 key encapsulation mechanisms, teed confidential into the long term, then of which 69 were deemed complete and the owner of the data has a major challenge proper. At the beginning of 2019, nine — perhaps even a problem — should the signature schemes and 17 key encapsu- confidential data be exchanged over a public lation mechanisms went to the second

Page 151 Anticipating the threats of quantum computing to keep payments safe and secure

round. The work is expected to be com- Addressing quantum computing also pleted between 2022 and 2024. suffers from the fact that several significant aspects are — just as day z — still largely unknown. The fields of quantum comput- KNOWN COMPLICATIONS AND ing and PQC are still very much in flux, KNOWN UNKNOWNS which means it is uncertain what form The appropriate response to the looming attacks will take and what defences will be threat of quantum computing is to identify effective. cryptography that is sensitive to quantum attacks and replace it with PQC. Practically, this raises significant challenges for asym- SOME COMFORTING CERTAINTIES metric cryptography. While quantum computing may lead to the For the banking industry, replacing cryp- total collapse of some kinds of cryptography, tography is a process with very long timelines. other kinds of cryptography are expected For example: to withstand quantum computing with no adjustments, or no fundamental adjustments, ●● The typical payment card replacement as mentioned above: cycle takes about eight years. Certification and selection usually take three years, and ●● Modern symmetric encryption algorithms issued cards can be used for five years, until such as AES remain secure. It is assumed that they expire. While it is possible to replace a AES-256 can be used securely until 2031 bank card within a year, this comes at a and beyond.11 considerably higher cost. ●● Modern cryptographic hash functions ●● Point-of-sale (POS) terminals and auto- such as SHA-256 and SHA-3 will remain mated teller machines (ATMs) have life secure through 2031 and beyond.12 cycles ranging from five to 20 years. In Technology built on these symmet- the Netherlands, a POS terminal has ric encryption and cryptographic hash an economic service life of five years; functions and algorithms, such as mes- however, the mean usage time of a sage authentication code (MAC), key POS terminal is currently seven years. generation and key derivation, will No economic life span has been deter- remain secure. mined for ATMs, but many are at least 20 ●● The protocol concepts of the ‘old era’ years old, and only some can be adjusted cryptographic card payments industry that remotely. predate the use of asymmetric cryptog- ●● Many institutions are still using critical sys- raphy remain valid and secure. The actual tems that are decades old, despite efforts to cryptographic algorithms used in these decommission them. protocols of the old era, however, need ●● Replacing cryptography may not be to be replaced with modern variants if enough, as some of the essential PQC this has not already been done. alternatives are expected not to be simple ●● The quantum computer will probably first drop-in-replacements. The need to revisit demonstrate its added value for other, less design assumptions and redesign to-be- demanding applications.13 Only later will identified systems should be taken into the quantum computer become power- account, as redesign will be time-consuming. ful enough to break cryptography.14 Such ●● Standards and policies for the use and roll- events, if made public, can be used as an out of PQC do not exist yet and need to early warning indicator announcing that be developed. day z is at hand.

Page 152 Covers and Doeland

THE DUTCH QUANTUM READINESS Follow developments on quantum PROGRAMME computing and PQC closely There are still many uncertainties relat- Advances in quantum computing and PQC ing to quantum computers, most notably will influence the manoeuvring space the when the first quantum computer will be financial sector has to prepare and mitigate available; however, there are also some properly. certainties. Based on these certainties, it The DPA organises annual workshops is possible to identify certain ‘low-regret’ and asks the broad expert group of partic- moves to prepare for the advent of the quan- ipants to monitor the developments. The tum computer. Thus, the following seven broad expert group consists of selected low-regret moves or recommendations have invitees: leading scientists from the field been formulated to deal pragmatically and and relevant security experts from mem- realistically with the threats associated with ber banks, EMVCo, Mastercard and Visa. quantum computing. With the outcome of the workshop, These recommendations have been banking specialists can translate general adopted within the governance of the developments into interbank-relevant Dutch Payments Association and its mem- actions, validate the established long- bers, and have been approved by the CISOs term interbank plan annually and provide of the DPA’s member banks and adopted advice when necessary to update the long- by the responsible board members. In term plan. A second result is an updated ensuring board-level commitment, these set of questions and answers, which can recommendations become policy guidelines. be used to inform the press when questions Accordingly, support for the programme are asked. has been arranged and the work has started. The seven policy guidelines are: Maintain and extend the current inventory of interbank processes 1. Follow developments on quantum computing and PQC closely. The readiness project group is responsible 2. Maintain and extend the current inven- for the inventory of interbank processes tory of interbank processes. to guide the actions that must be taken. 3. Urge international financial organisations This inventory includes the security to prepare for the advent of the quantum shelf life of encryption primitives used in computer. addition to secure PQC alternatives (as 4. For classical symmetric cryptography, start stated by authoritative bodies such as the migration to AES, secure hashes and EMVCo and NIST). Suppliers are included secure key derivation immediately. in the inventory, as standard packages 5. Develop fallback to classical symmetric regularly use old, possibly unsafe, cryptography for the card payments infra- techniques. structure. 6. Develop an EMV smart card profile that Urge international financial does not rely on asymmetric encryption. organisations to prepare for the advent 7. Enforce a policy to swiftly implement the of the quantum computer latest official TLS releases and gain expe- In the Netherlands, the members of the DPA rience with PQC. know how to find each other quickly and easily; however, payment transactions do These seven policy guidelines will now be not stop at the Dutch borders. It is therefore described in more detail. important that international parties in the

Page 153 Anticipating the threats of quantum computing to keep payments safe and secure

payments system take action to consider and protocols requires changes throughout the act upon developments in quantum comput- payment infrastructure, including POS ing. If desired, the DPA is willing to share its and ATM systems. Fortunately, these approach to help other financial institutions systems have the necessary capabilities to to speed up their process. make such a switch. Unfortunately, chang- ing this infrastructure is a complicated and For classical symmetric cryptography, time-consuming operation. Given that day start the migration to AES, secure z is unknown, and POS and ATM proto- hashes and secure key derivation col migration is a process with very long immediately timelines, it is recommended that the Many symmetric encryption algorithms development of the outlined fallback sce- being used today are either insecure already nario be started immediately. without quantum computing (two-key triple DES, for example, is already disallowed Develop an EMV smart card profile by NIST) or come with a degree of security that does not rely on asymmetric risk that will become unacceptable in the encryption near future (for example, three-key triple Retail card payments depend greatly on DES is already deprecated by NIST and will cards using the EMV standard. In addi- be disallowed after 2023).15 This migration tion to symmetrical encryption, the will have a major impact on many financial current EMV card profile also uses asym- institution systems, hence it is important to metrical encryption. The Dutch EMV card commence the migration to AES as soon infrastructure offers the opportunity to as possible. Similarly, the migration to develop a card profile that — to protect the PQC cryptographic hash functions, such as transaction — relies entirely on symmetri- SHA-256 and SHA-3, along with PQC key cal encryption using AES. For this option, derivation functions, should be commenced all transactions must be authorised online, without delay. which fortunately is common in the Neth- erlands. However, for transactions in the Develop fallback to classical transport sector, for example, offline EMV is cryptography for the card payments commonly used. These transactions rely on infrastructure the asymmetric encryption and cannot eas- About 20 years ago, asymmetric public-key ily be processed entirely online in real time. algorithms were introduced to the Dutch For these transactions, it seems workable to interbank infrastructure. This cannot sim- develop a ‘near real-time’ scenario. In such a ply be reversed. Furthermore, asymmetric case, they remain offline EMV transactions public-key algorithms do have added value. but are frequently sent in for processing. The Asymmetric encryption is used mainly for transactions will therefore be recorded in secure remote key distribution and sign- near-real time and will become irrefutable, ing. The classical symmetric encryption reducing the dependence on asymmetric functions MAC, challenge response and encryption. traditional secure key distribution (using Another topic is the processing host, which a secure physical link or using key custo- must also be able to process authorisation dians with key envelopes or smart cards) messages based on AES. The current EMV can also be used to provide the same card specifications do support all necessary functionality. encryption primitives, but the international The change from the current to a card brand schemes and the issuing process- modern-day PQC equivalent of the old-era ing host systems in the Netherlands do not.

Page 154 Covers and Doeland

With reference to the long migration route robust payment system. The experience of from introduction to withdrawal of the last the Netherlands has taught that cooper- card, it is advisable not to wait too long ation can lead to a safer and more secure before issuing an instruction to develop an payment world.16 This is also the case for EMV smart card profile that does not rely quantum computing. It is important to on asymmetric encryption. involve and advise the parties concerned, to ensure that information is exchanged and that these parties collaborate — not Enforce a policy to swiftly implement just within the Netherlands, but across the the latest official TLS releases and rest of Europe and the world too. To deal gain experience with PQC with the threats associated with quantum TLS is widely used to secure data in computing, the active involvement of par- transition, for example, the internet. Exter- ticipants is necessary. This applies to banks, nal-facing systems using TLS are more payment processors, vendors and schemes, as flexible than back-office banking systems well as to universities and governments. The with respect to their ability to migrate DPA will make every effort to ensure that smoothly and swiftly to PQC algorithms. quantum readiness is on the national and For these systems, the readiness group international agenda. expects that a quantum proof TLS version will arrive in time before day z. After all, the NIST competition submissions contain sev- AUTHORS’ NOTE eral practical algorithms for key exchange The authors would like to thank the fol- that can be used as drop-in replacement lowing members of the quantum readiness for current key exchange protocols. For programme for their contributions: Harld example, New Hope is currently used in a Röling and Daphne Ma (ABN AMRO), pilot for TLS. However, other PQC NIST René Steenbeeke (Dutch Payments Asso- competition alternatives for RSA and ECC ciation), Arne de Boer (De Nederlandsche show that potential alternatives behave very Bank), Jurjen Bos (equensWorldline), differently in terms of key size, signature Wouter Teepe and Elif Yesilbek (ING), size, required computation and required Arie Schilp (Rabobank) and Ron Werther storage. In all the alternatives, at least one of (De Volksbank). these parameters is many times worse than the current algorithms. This means that drop-in replacements are not likely to exist. References Using the alternatives will entail significant (1) Birch Consultants (2018) ‘Building a Q-campus: realising a quantum ecosystem in Delft’, available changes in architecture, dimensioning or at: www.rijksoverheid.nl/binaries/rijksoverheid/ workflow and redesign of protocols. documenten/rapporten/2018/10/04/building- Preparing and committing to swift adop- a-qcampus-realising-a-quantum-ecosystem-in- delft/Building a Q-Campus - Realising a tion of new TLS versions will therefore help Quantum ecosystem in Delft.pdf (accessed 20th mitigate the negative impact of quantum April, 2020). computing and build up timely experience (2) Russo, M., Thaker, A., and Adam, S. (2018) ‘The coming quantum leap in computing’, available with PQC implementations. at: www.bcg.com/publications/2018/coming- quantum-leap-computing.aspx (accessed 20th April, 2020). NATIONAL AND INTERNATIONAL (3) Van Der Lubbe, J.C.A. (1998) ‘Basic Methods APPROACH of Cryptography’, Cambridge University Press, Cambridge. The DPA will use its relations and var- (4) Karn, P., Metzger, P. and Simpson, W. (1995) ‘The ious roles to maintain a secure, stable and ESP triple DES transform’, RFC1851, available at:

Page 155 Anticipating the threats of quantum computing to keep payments safe and secure

https://tools.ietf.org/html/rfc1851 (accessed 20th (11) Barker, E., Barker, W., Burr, W., Polk, W. and Smid, April, 2020) M. (2007) ‘Recommendation for Key Management (5) Rijmen, V. and Daemen, J. (2001) ‘Advanced – Part 1: General (Revision 3)’, NIST special encryption standard’, in ‘Proceedings of the Federal publication 800-57, available at: https://adgrafics. Information Processing Standards Publications, net/docs/other/sp800-57_part1_rev3_general.pdf National Institute of Standards and Technology’, (accessed 20th April, 2020). Gaithersburg, MD, pp. 19–22. (12) Ibid. (6) Shor, P.W. (1994) ‘Algorithms for quantum (13) Reiher, M., Wiebe, N., Svore, K.M., Wecker, D. and computation: discrete logarithms and factoring’, in Troyer, M. (2017) ‘Elucidating reaction mechanisms Proceedings the 35th Annual Symposium on on quantum computers’, Proceedings of the National Foundations of Computer Science, Santa Fe, NM, Academy of Sciences, Vol. 114, No. 29, pp. 7555–7560. 20th–22nd November. (14) Roetteler, M., Naehrig, M., Svore, K.M., (7) Grover, L.K. (1996) ‘A fast quantum mechanical and Lauter, K. (2017) ‘Quantum resource algorithm for database search’, in Proceedings of estimates for computing elliptic curve discrete the 28th Annual ACM Symposium on Theory of logarithms’, paper presented at the International Computing, Philadelphia PA, May Conference on the Theory and Application of (8) Bernstein, D.J. (2009) ‘Introduction to post-quantum Cryptology and Information Security, Hong cryptography’, in ‘Post-quantum Cryptography’, Kong, 3rd–7th December, available at: https:// Springer, Berlin and Heidelberg, pp. 1–14. eprint.iacr.org/2017/598.pdf (accessed 20th (9) Mosca, M. (2013) ‘Setting the scene April, 2020). for the etsi quantum-safe cryptography (15) Barker, E. and Roginsky, A. (2019) ‘Transitioning the workshop’, e-proceedings of 1st Quantum-Safe- Use of Cryptographic Algorithms and Key Lengths’, Crypto Workshop, Sophia Antipolis, 26th–27th NIST Special Publication 800-131A Revision September. 2, available at: https://nvlpubs.nist.gov/nistpubs/ (10) Chen, L., Jordan, S., Liu, Y.-K., Moody, D., SpecialPublications/NIST.SP.800-131Ar2.pdf Peralta, R., Perlner, R. and Smith-Tone, D. (2016) (accessed 20th April, 2020). ‘NISTIR 8105 Report on Post-Quantum (16) Doeland, M.M. (2017) ‘Collaboration and the Cryptography’, available at: https://csrc.nist.gov/ sharing of information help reduce payment publications/detail/nistir/8105/final (accessed 20th transactions fraud’, Journal of Payments Strategy & April, 2020). Systems, Vol. 11, No. 3, pp. 81–85.

Page 156