G7 Cybersecurity Working Group Statement on preparing for a post-quantum cryptography migration

Introduction

Quantum computers use quantum physics to process information and solve problems that are impractical to solve using current computing capabilities. Although these computers can be beneficial in fields like medicine and science, they also pose risks to cyber security with their ability to break public key cryptography (PKC). PKC, also known as asymmetric cryptography, is used to protect the confidentiality, integrity and authentication of communication and data. It also provides assurance that software and updates are from the organizations that you expect and have not been tampered with. The United States’ National Institute for Standards and Technology (NIST), in conjunction with experts from around the world, has chosen new algorithms that are resistant to a quantum attack in order to replace the existing vulnerable ones. This new field of cryptography is called post-quantum cryptography (PQC). The G7 Cybersecurity Working Group (G7 CWG) recognizes the challenges that transitioning to new algorithms bring to organizations and has developed this publication to provide practical advice to prepare for this important process. In addition to this publication, the G7 Cyber Expert Group (G7 CEG) has published a group statement on “Advancing a Coordinated Roadmap for the Transition to Post-Quantum Cryptography in the Financial Sector” which readers may find useful.

Table of contents

Audience and purpose

This publication provides recommendations to prepare organizations to transition to PQC. It has been developed by dedicated experts of the G7 CWG, including governments and their national cyber agencies. It is targeted at technical management of medium-to-large organizations to provide guidance on the types of work that could be performed during a typical transition project. The G7 CWG recognizes that organizations across the world have different structures and governance requirements, and that a single guidance publication cannot cover all organizations’ needs. As a result, this publication provides pragmatic approaches that can be adopted and modified by organizations to meet their goal of transitioning to PQC. In addition to this publication, the G7 CWG recommends that you review other relevant guidance from standards bodies as well as your national cyber agency. This publication should not supersede any guidance published by your national technical authority.

Terminology

Most of the terminology used in this section comes from the European Commission’s PQC roadmap publication1. Any modifications or additions in this publication are due to changes in audience or are intended to add information relevant to this publication.

Cryptographic agility (crypto agility)
The design of cryptographic protocols and systems in a modular way that enables replacing the cryptographic components. This concept must not be confused with a requirement to negotiate the cipher suite during protocol execution.
Cryptographic inventory
A structured overview of cryptographic assets.
Cryptographically relevant quantum computer (CRQC)
A quantum computer that is powerful enough to solve factorization and discrete logarithm problems of sizes that are used in quantum-vulnerable cryptography today.
Harvest now, decrypt later (HNDL) attack
A scenario, where adversaries store encrypted data for decryption once a cryptographically relevant quantum computer emerges. This is a threat when the confidentiality of data needs to be protected for a long time period (for instance governmental data, sensitive personal data, trade or business secrets).
Post-quantum cryptography (PQC)
Asymmetric cryptographic algorithms that are developed and designed to be secure against traditional and quantum attacks.
Post-quantum traditional (PQ/T) hybrid scheme
A cryptographic scheme that incorporates at least 1 PQC algorithm and at least 1 traditional algorithm, where each component algorithm has the same cryptographic purpose as each other and as the overall scheme. An example of such scheme is the Internet Engineering Task Force’s (IETF) Request for Comments (RFC) on Hybrid key exchange in TLS1.3, which provides a construction for combining a traditional key exchange (for example, elliptic curve Diffie-Hellman (ECDH) or finite field Diffie-Hellman (FFDH) key exchange) with post-quantum key encapsulation mechanisms (KEMs) to provide hybrid confidentiality for the Transport Layer Security (TLS) layer.
Public key infrastructure (PKI)
A framework for issuing, maintaining, and revoking public key certificates.
Quantum attack
Using a cryptographically relevant quantum computer running a quantum algorithm to attack a cryptographic algorithm.
Quantum-safe
Something that is expected to be secure against traditional and quantum attacks. This term also covers symmetric cryptography algorithms.
Quantum-vulnerable
Not quantum-safe. Cryptographic algorithms that are expected to be vulnerable to quantum attacks.
Traditional
Quantum-vulnerable (for cryptographic mechanisms) or non-quantum (for example, for attacks) depending on the context.

Project preparation

The following sections outline considerations for organizations when preparing to transition to PQC, including:

  • governance
  • project teams
  • organizational awareness
  • budget
  • crypto agility

Although this publication provides information on how to prepare organizations for the transition to PQC, this is not an exhaustive list, and your organization may have additional requirements that should be considered for your specific situation. In addition to this publication, you should also consult all guidance from your national cyber agency.

Governance

When presenting PQC to senior leadership, the following points may secure their buy-in and allow them to understand their role during the transition. It is important that senior leadership takes an active role in the promotion of PQC in their organization. They should provide direction to technical leads on the scale and pace of PQC migration. In turn, technical teams should provide senior leadership with estimates on the costs and what can be delivered within a given timeframe. They should also provide regular updates to senior leadership on progress against the timeframe.

Senior leaders are responsible for setting strategic priorities and allocating resources. It is important to note that PQC is not just a technical upgrade, but rather a core cyber security measure that should be integrated into existing organizational risk management processes and information security management systems (ISMS).

Timeframes

Unlike some cyber security threats which require rapid changes that can be disruptive and expensive, an advantage of PQC migration is its relatively long timeframe for implementation. Migration is expected to be completed in the private sector during the 2030s (specific dates will vary slightly by country; refer to your national guidelines for additional information). You should highlight to senior leadership that beginning a controlled migration early on will make migration more manageable and affordable.

Competition and excellence

Starting the PQC transition ahead of your competitors may signal to investors and customers that your organization is forward-thinking and takes cyber security seriously. To effectively engage senior leadership, you should stress the competitive advantage that early PQC adoption brings.

How to engage leadership

  • Frame PQC as a business risk. For instance, emphasize the HNDL threat and the long-term impact on data confidentiality. You can also highlight that failure to act in a timely and structured manner may be more costly in the long run.
  • Use the available resources from your national technical authority, including guidance relating to promoting cyber security to boards and executives. Highlight any deadlines for PQC completion.
  • Position PQC migration as an opportunity for organizations to:
    • modernize infrastructure
    • improve resilience
    • demonstrate their dedication to cyber security by making PQC a part of their “normal” cyber security upgrade and refresh cycles

Practical steps

  • Designate a board member accountable for PQC migration, including allocation of funding for the work. Where possible, this should be the member accountable for managing the wider cyber security risks of the organization. This individual should also be someone that is known to employees and with whom they can engage.
  • Map cryptographic dependencies: Identify where PKC is used across systems and supply chains.
  • Consider using consultants that specialize in PQC migration. Some countries have accreditation schemes for consultancies that have received training in this area.
  • Join working groups: Collaborate with industry peers to share best practices and avoid duplication of effort. If these groups do not exist, consider establishing them to demonstrate leadership in your sector.
  • Track progress: Use metrics to measure leadership awareness and decision-making impact.

Project teams

To prepare for the transition to PQC, it is recommended that organizations develop teams to oversee the work. Project teams should consist of stakeholders throughout the organization and include at least 1 member from senior management to lend necessary support. Although much of the work to be performed is technical, it is beneficial to include stakeholders in non-technical areas, including finance, project management, procurement and any other relevant stakeholders.

Below are a series of teams that your organization should consider standing up. This is not prescriptive, and you may find it works better to merge or exclude some of these teams based on your organization’s structure and requirements. You may also choose to outsource some of this work to consultants specializing in PQC. In this case, check if your national technical authority provides formal accreditation to these organizations.

Executive governance and strategy team

This team will be the main driver of PQC migration within an organization. The purpose of this team is to set direction, secure board-level buy-in, and align with relevant national timelines. It will also be responsible for briefing the board and ensuring that PQC remains a high priority on the organization’s agenda.

Key roles:

  • Chief information security officer (CISO)
  • Policy lead or PQC program lead
  • Legal/compliance advisor

Tip: Consider setting up a project management office (PMO) team (discussed below) that will support the governance and strategy team in coordinating PQC migration and the relevant project teams.

Cryptographic discovery and planning team

One of the first objectives your organization will need to deliver is a map of the systems which will need to be made PQC-compliant. This map should identify both internal systems and anything that is delivered by a third party. Once you have completed this discovery task, you should draft a migration plan.

The purpose of this team will be to map cryptographic dependencies, assess risks and develop migration plans.

Key roles:

  • Cryptography specialist
  • Systems architect
  • Asset discovery analyst

Tip: Begin with a full discovery exercise to identify where PKC is used across systems, and don’t forget about your suppliers.

Technical implementation team

Once your organization has undertaken a discovery and mapping task, the next objective should be the implementation of PQC in discovered systems.

The purpose of this group is to upgrade systems, integrate PQC algorithms and validate performance.

Key roles:

  • Software engineers
  • Network security engineers
  • Infrastructure/development and operations (DevOps) leads

Vendor and supply chain engagement team

During the discovery and mapping phase, it is likely that you will have identified that third-party systems will also need to be PQC compliant. It is therefore important to engage with suppliers as early as possible to ensure they can meet your PQC migration deadlines.

The purpose of this group is to ensure that suppliers and other service providers are PQC-ready.

Key roles:

  • Procurement lead
  • Vendor risk manager
  • Supply chain analyst

Tip: If you supply other businesses, it is worth considering their demands for PQC-compliant services. Early PQC migration in your business may set you apart from your competitors.

Project management office (PMO)

As with all medium-to-large-scale projects, your organization may wish to consider a PMO team to oversee and coordinate the PQC migration plan, as well as the outputs and expectations from the other teams listed.

The purpose of the PMO will be to oversee timelines, dependencies and reporting updates to the executive.

Key roles:

  • Project manager
  • Risk and issue manager
  • Reporting analyst

Organizational awareness

As with most large projects, it is important that all affected stakeholders are aware of how PQC migration will impact them. It should be expected that the transition to PQC will affect most people in an organization and in varying ways, from the leadership who must oversee the work and provide the financing, to the employees who use the software and devices that will be transitioned.

Your communication goals should be to:

  • inform senior leadership of the need to transition to PQC so that they can make necessary decisions for your organization. Discussion topics include the reason for the transition, estimated timelines, potential costs and other topics relevant to your organization.
  • prepare teams within your organization that will be involved with the transition so that they are aware of their roles and responsibilities. Each team should use this information to develop or modify policies and procedures appropriately. For example, updating procurement policies to require the purchase of products that support PQC.
  • inform members across the organization about what the transition to PQC is, why it is important and how it is expected to affect them and their work. This includes training on any new tools and policies that will be introduced during the transition.

Communications should continue throughout the project to ensure that all stakeholders are aware of the latest updates and can make relevant decisions.

Budget considerations

When preparing for the transition to PQC, organizations should create a financial plan. Although some transition costs can be covered through natural lifecycling of infrastructure, additional funding resources may be needed to pay for the work. The following is a list of items that an organization should consider when budgeting. Your organization may require additional financial resources in addition to those listed below.

New hardware

You may find that you need to replace existing hardware if your vendor no longer supports it or has no plans to transition it to PQC. Additionally, new hardware may be needed to test configurations of existing systems to validate that the changes introduced during the transition will work in your environment. When developing a specific budget for the transition, consider whether hardware can be replaced through natural lifecycle replacement and therefore can be excluded from this specific budget.

Software

Software that uses PKC should be upgraded or replaced to use PQC algorithms. However, if your software vendor will support PQC and it is under a support contract, it may not be necessary to budget for replacement. Any changes to software should nonetheless be tested to ensure that it still meets the requirements of your organization.

Support contracts

Maintaining support contracts with vendors may be a good approach to upgrade product firmware and software. However, you should first communicate with your vendors to determine whether they will transition to PQC and will cover the PQC algorithms under existing contracts.

Employees and training

It may be necessary to train IT staff on how to use and appropriately configure any new or modified hardware and software to meet organizational requirements and to avoid introducing any vulnerabilities when deploying PQC. It may also be necessary to inform and educate other staff about new tools or changes to existing tools that may affect their work.

Contractors

For many organizations, transitioning to PQC may require more resources or cryptographic expertise than the organization has available. Augmenting staff with contractors during the transition may provide the necessary resources to complete the transition while limiting the impact on normal operations.

Outsourcing

Rather than augmenting your staff with contractors, you may wish to outsource the work to organizations that provide PQC transition expertise. You may wish to check whether your national technical authority provides formal accreditation of these organizations.

Cryptographic agility

Systems deploying cryptographic mechanisms cannot offer continuous security throughout their lifetimes. This is especially true when you consider the threat posed by state-of-the-art technology that is continuously evolving and becoming more advanced. When the underlying components of a system (or protocols) are rigid, any attempt to transition to a more secure design will always entail significant financial, time and organizational resources, while also making it harder to remain interoperable. For example, it took several decades to transition from the Data Encryption Standard (DES) block cipher to the Advanced Encryption Standard (AES), with NIST finally disallowing the use of the Triple Data Encryption Algorithm (TDEA) as of January 1, 2024.

The concept of cryptographic agility is to design protocols and systems in a modular scheme, allowing for the reconfiguration or replacement of individual components. As the migration to PQC will require a significant overhaul of the current systems in use, there is a long-term security and financial gain to be had by integrating crypto agility into the current transition.

The fundamental step to becoming cryptographically agile is the ability to detect weaknesses in deployed systems and to know where changes will need to be made. This leads to the requirement to build and continuously maintain and update a complete cryptographic inventory. This should remain a top priority going forward for all areas where cryptographic mechanisms are used.

The way cryptographic agility is implemented and the requirements for achieving it depend on the specific context—whether at the vendor or purchaser level, or within a system or protocol. For purchasers, this involves considering crypto agility when buying products and maintaining regular communication with vendors and security experts to remain secure. For a system, this could include an efficient quantum-safe update mechanism for cryptographic components realized in software, firmware or field-programmable gate arrays (FPGAs). For a protocol, a cryptographically agile design should not only facilitate inserting and switching between new algorithms and suites but also incorporate identification methods which would allow for a simple inclusion of new algorithms/suites at a later date. Additionally, for algorithms themselves, such crypto agile designs should allow changes to the parameters which determine the security level provided.

Deploying systems and protocols to be cryptographically agile provides various advantages beyond being prepared for the future. Along with offering long-term protection, crypto-agile systems and protocols can be applied in various countries and international organizations. It can also protect confidential information where there may be differing guidelines for parameters and algorithms, ensuring easier compliance for each use-case.

NIST’s Cybersecurity White Paper (CSWP) 39 and Canadian Centre for Cyber Security's (CCCS) Guidance on becoming cryptographically agile provide more detail on approaches to cryptographic agility.

Migration plan development

Your organization will most likely develop many plans during the PQC transition. From high-level plans covering the organization down to specific plans for transitioning individual systems, planning is critical to the success of the PQC transition. While developing plans, organizations should consider factors such as risk to data, impact on users both internally and externally, interoperability requirements, and service level agreements, as they will all have an effect on how you proceed. This section provides considerations for your organization. As with all subjects described in this publication, you should ensure that all PQC planning is tailored to your environment.

Identifying cryptography

Building a detailed cryptographic inventory is an important step in an organization’s quantum-readiness plan. This is one of the resource-intensive tasks, as many organizations lack visibility into where and how cryptography is used across systems, devices, network protocols and cloud services.

In addition, identification of cryptography should be approached as an ongoing, iterative process, in which each cycle progressively refines the inventory and improves data accuracy. Ideally, this process should be repeated periodically to ensure that the information remains current and reliable.

Organizations may start by leveraging existing asset inventory data, obtained as part of standard information security management practices, to identify systems, applications and data flows that depend on cryptographic functions. This will establish a foundation basis for assessing PQC migration needs and prioritizing remediation efforts.

The cryptographic discovery and planning team, which is responsible for the cryptographic inventory, should allocate significant time and resources. Failure to identify a cryptographic asset at this stage may result in an unacceptable cyber security risk when CRQCs become available to malicious actors.

The collected information should be as detailed as possible (algorithm, key length, usage, etc.), as it will determine whether a cryptographic asset is vulnerable to quantum attack. This will allow the organization to perform an adequate risk evaluation.

The cryptographic inventory could be based on standard, machine-readable formats such as the Cryptographic Bill of Materials (CBOM). For more information, read Cryptographic inventory and the CBOM in the Appendix to this publication.

While the primary focus of the transition is migrating traditional PKC to PQC, it is also valuable to identify where cryptography is used across all systems and supply chains (for example, symmetric algorithms, hash functions, etc.) even though it is unlikely to be in scope of PQC migration to further enhance cryptographic agility within the organization (see Cryptographic agility).

Scenarios where cryptographic assets are used

A complete inventory requires investigating cryptographic assets in several different scenarios that can be grouped into the following 4 areas of research.

Networked appliances and applications

These include systems that use cryptographic algorithms during the transmission of data. For example, TLS uses PKC to establish secure communication tunnels between systems. Networked appliances and applications include but are not limited to:

  • network devices: router, firewalls, virtual private network (VPN) gateways, etc.
  • application servers: web, email, database, etc.
  • messaging applications

In this scenario, at least the following widely deployed protocols must be assessed, as they rely on quantum-vulnerable cryptographic primitives (Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) signatures and Diffie-Hellman and ECDH key exchange):

  • TLS: the backbone of secure web communications. Monitoring TLS traffic provides direct visibility into cipher suites, key lengths and certificate types currently in use.
  • Secure Shell (SSH): critical for administrative access and automation. Assessing the configuration of both SSH servers and clients helps to map which algorithms are actively used for authentication and key negotiation.
  • Authentication and authorization protocols: Open Authorization (OAuth), OpenID Connect (OIDC) and Security Assurance Markup Language (SAML) make use of digital signatures to verify authenticity and integrity of tokensFootnote 2 and messages.
  • Internet Protocol Security (IPsec), Internet Key Exchange (IKE): fundamental for VPNs and remote working environments.
  • Email security protocols (S/MIME, PGP): widely used for ensuring confidentiality, authenticity and integrity of email.

In addition, particular attention should be paid to Internet-facing network services, as the exposure to the public network significantly increase the risk of an attack by a malicious actor (for example, HNDL attacks). See “Prioritization” below for more details.

Externally developed software and hardware

These are systems that your organization uses but which are not developed internally. They use cryptography, but not for transmitting data. For example, these may include software that relies primarily on PKC, such as:

  • digital signing and PKI software
  • digital rights management (DRM) software
  • Secure Boot and firmware integrity software

It may also include software that extensively uses symmetric cryptography to securely store data and may apply PKC for authentication and authorization, such as:

  • identity and access management (IAM), privileged access management (PAM) and key management systems (KMS)
  • password managers
  • database, file and disk encryption tools

Externally developed hardware devices include:

  • hardware security modules (HSMs)
  • smart cards
  • trusted platform modules (TPMs)
  • specialized embedded devices Footnote 3

In this case, since the source code of the applications or firmware is not available, identifying cryptographic components requires the cooperation of vendors that may provide a CBOM or a Software Bill of Materials (SBOM). You can read more about CBOM and SBOMs in Cryptographic inventory and the Cryptographic Bill of Materials, found in the Appendix. Alternatively, for legacy systems or when vendor support is not available, we recommend the use of vulnerability scanners and binary inspection utilities.

Moreover, some applications could adopt cryptography for network transmissions as well as for other purposes and may need multiple approaches to understand the cryptography implemented.

Internally developed and open-source software

These consist of software that is developed inside your organization or software for which source code is available. This allows you to understand how cryptography is used.

For many software projects, integrated development environments (IDE) plugins or source composition analysis (SCA) tools can help to identify the use of cryptographic primitives within the code and to develop a SBOM which will list the components that make up the software. The migration of this software will require internal remediation actions to change configurations, code, application programming interfaces (APIs) or libraries.

Cloud services and externally managed systems

Particular attention must be paid to cloud services, especially within platform-as-a-service (PaaS) and software-as-a-service (SaaS) models, since organizations cannot directly identify or control the cryptography used and must therefore rely on attestations or certifications provided by the service provider. In this context, the cryptographic discovery and planning team should engage with cloud service providers to confirm whether their encryption algorithms and security controls are aligned with PQC transition strategies, as outlined in Operational and cloud technology considerations.

Moreover, cloud services are often delivered over the public Internet, thus potentially exposing the organization’s data to malicious actors.

Prioritization

The complete migration to PQC will be a enormous effort and it cannot be accomplished in 1 step. Therefore, organizations must apply a method of prioritization to assess which systems are more vulnerable to the rising threats and to identify an order for the migration. The most reasonable way to perform this assessment will be to carry out a quantum risk analysis once an inventory of data assets and cryptographic tools has been produced.

Risk assessment is a standard IT infrastructure technique to understand the vulnerabilities of a system and the impact of a potential breach. A quantum risk assessment should follow a similar methodology. In most cases, the functionality provided by the system will have an effect on which threats are relevant and the scope of the threat. Developing a risk assessment is not necessarily a task for one specific team, but rather an ongoing requirement throughout the PQC migration on which multiple teams may need to work in tandem.

The table below provides the main considerations that need to be taken into account for prioritization within a PQC transition plan but it is not intended as a complete list. This approach is compatible with the approach described in the European Commission’s A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography. An in-depth example of how to build a quantum risk assessment can be found in the Netherlands General Intelligence and Security Service’s The PQC Migration Handbook.

Factor Description Considerations
Potential damage The damage that could occur if data was unprotected and obtained by an adversary. Data that is of high interest, such as financial, personally identifiable information (PII) and government-mandated records may be considered to be of high priority.
Data lifespan The expected life that the data will be of value and/or should be protected. Data that is susceptible to HNDL attacks could be considered higher priority.
Accessibility of the data Where the data is located that a threat actor could attempt to obtain and decrypt. Data that is exposed to open networks should be considered to have a higher priority than data that is locked securely (for example, offline, in protected zones, or over VPNs or secure websites).
Time to migrate the system How long would it take to complete the migration of a system. The migration time for some cryptographic systems, such as PKIs, will take many years due to their complex structure. Therefore, organizations need to account for the time to migrate a system.

Because organizations have to work with restricted resources and potentially depend on external vendors, other factors could affect when specific transitions can take place. These additional factors could include:

  • availability of PQC products and services
  • service level agreement requirements
  • availability of human and financial resources
  • external integration points (for example, inter-office VPNs, cloud providers)

Additionally, it may be beneficial to focus on a simple PQC upgrade at the beginning of the transition to understand the new cryptographic parameters and develop expertise before attempting larger, more complex upgrades.

Once the appropriate factors have been decided upon, organizations will need to determine how to assign a quantum risk assessment. For simplicity, a qualitative scheme with 3 assessment levels such as low, medium and high should be sufficient for organizations to determine the order for the transition. In general, the higher the rating assigned, the higher the priority of migrating to PQC.

The following 2 examples highlight cases where a high quantum risk assessment should be applied:

  • the protection of confidential data that needs to remain undisclosed for a long period of time
  • the protection of software/firmware updates, for which migration could take a significant amount of time to complete

Note: Timeframes for protecting data may differ based on individual nations’ jurisdiction.

It is important for organizations to communicate with vendors to understand their plans. We recommend regular communication to ensure that, if their PQC product roadmaps have changed, you will be able to adjust your plans accordingly. You may discover that your current infrastructure will need to be replaced as either your vendor or the standardized protocols that your services use will not support PQC in the future. For example, PQC will only be available in TLS 1.3 and later. If your web services use TLS 1.2 for securing communications, you may have to:

  • upgrade the software
  • upgrade the operating system that runs the software
  • replace the infrastructure the service runs on
  • deal with any combination of the above

Transition

The transition phase is used to implement PQC on quantum-vulnerable systems. A plan for this phase will need to meet your organization’s requirements and consider items including, but not limited to, timelines, business operations and the priority of the data and systems that the cryptography protects.

While developing the transition plan, we recommend that you perform tabletop exercises that will help identify any issues that may prevent a smooth transition to PQC. Determining potential issues early on will generally reduce costs, errors and the time to perform the transition, and may result in fewer issues during the upgrade process. When performing the transition, make sure to follow your organization’s change-management processes.

Testing

In addition to the testing that your organization already performs on your IT environments, you should consider adding PQC tests to your test plans. This will ensure that your IT environment continues to meet organizational requirements and also validate that the PQC has been implemented correctly. At minimum, your plans should:

  • Ensure that the cryptographic products meet system requirements
    Some devices use dedicated hardware or chip instruction extensions to improve the performance of traditional cryptography. Although initial testing shows some PQC processing is as fast as existing PKC, until dedicated hardware is available for PQC, it may perform more slowly than systems currently in use. Another consideration is that PQC key, ciphertexts and signatures are often larger than those produced with the existing PKC algorithms. Problems could arise from these larger sizes when using low bitrate or noisy network connections such as on radios. Due to these concerns, and possibly others, it is important to ensure that new or transitioned devices continue to meet the system’s prescribed requirements.
  • Validate interoperability Although a product may have been tested by a vendor, interoperability can fail between vendors based on different implementation assumptions. In situations where 2 or more products must work together to form a solution, it is important to perform testing to ensure that they will interoperate together.
  • Test configurations to enable PQC Configuring a system to support PQC will often involve more than pressing a button or checking a box on a graphical interface. It may involve obtaining new cryptographic certificates as well as turning off cryptographic ciphers that you no longer wish to use. Having a plan to test varying configurations and verify that PQC algorithms are being used correctly will alleviate any mistakes that could leave your data and systems unprotected.

Documentation

During the transition, it is important to ensure that each change to any system is well documented. Relevant documentation includes but is not limited to:

  • Business continuity plans (BCPs) As your environment changes, it is important to ensure that your BCP is kept up to date to ensure that it captures all the information necessary to continue business operations in the case of a disruption.
  • Configuration and use documentation The configuration, as well as any specific use instructions for each system, should be recorded. This includes any configurations made to support PQC and deprecate traditional cryptographic algorithms.
  • Information technology asset management (ITAM) Update the organization ITAM to record any changes to hardware and software, including removing any items that will no longer be needed after the transition.
  • Cryptographic information Cryptographic recommendations will continue to change as new technologies are developed. Ensuring that all cryptographic technologies used in your organization are properly recorded and secured is an important part of cryptographic agility and will aid in future cryptographic changes. More information on storing cryptographic information can be found in Cryptographic inventory and the Cryptographic Bill of Materials in the Appendix of this publication.

Conclusion

Although the transition to PQC will bring many challenges, including time, cost and complexity, the G7 CWG believes that it is an important part of protecting your organization’s information technology and data. The G7 CWG has published this guidance on important topics that we believe will help you prepare your organization during the transition. In addition to this publication, the G7 CWG recommends that you review other relevant guidance including that from standards bodies as well as your national cyber agency. Please note that the guidance presented in this publication is for informational purposes only and should be tailored to fit the needs of your organization.

Appendix

This appendix provides additional information on select topics that may be on interest to the reader.

Considerations for identifying cryptography

Tools and methods for cryptographic discovery

You can use different categories of tools and techniques to identify cryptographic assets in different scenarios. In most cases, relying only on automated tools won’t be enough to exhaustively find cryptography in your environment, as the tools may miss something or provide false positives. It is necessary to combine automated and manual approaches (for example, tool output review, documentation analysis, vendor communications, internal discussions, etc.).

The following sections outline different tools and techniques that you can use and their purposes.

Network devices and applications

  • Active network vulnerability scanners: to interrogate network services directly and list supported protocols, cipher suites, and key-exchange mechanisms, highlighting the use of weak or deprecated algorithms. For example, nmap, testssl.sh and openssl
  • Passive monitoring and traffic analyzers: to capture and analyze live communications in order to observe which cryptographic protocols and algorithms are actually negotiated during sessions. For example, Wireshark and tcpdump
  • Large-scale network scanning frameworks like Shodan or Censys.io can be employed to map cryptographic exposure of Internet-facing assets

Externally developed software and hardware

  • Binary and library inspection utilities: to analyze executables and verify dynamically linked cryptographic components and symbols
  • Firmware inspection and analysis methods: to examine firmware images of embedded devices or accelerators for implemented algorithms and potential hardcoded keys
  • System and hardware inventory utilities: to detect the presence of cryptographic accelerators, secure co-processors or dedicated modules integrated into servers and network appliances

Internally developed and open-source software

  • Source code analysis methods: to identify direct calls to cryptographic APIs, functions or hardcoded keys inside applications.
  • Dependency and package inspection tools: to detect cryptographic libraries declared in project files or packages
  • Static and dynamic analysis techniques: to examine compiled code for linked cryptographic components and functions

It is important to note that most tools available (at the time of writing) were not originally designed to detect weaknesses specifically from a quantum-safe perspective. Their primary function is to identify outdated software versions, insecure configurations and vulnerable cryptographic implementations. However, they can still be effectively repurposed in the context of post-quantum migration, since they provide valuable insights on where traditional algorithms are deployed. By leveraging these existing tools, organizations can build an initial cryptographic inventory and highlight systems that are most exposed to quantum-related risks, even before dedicated PQC-focused discovery solutions become widely available.

Cryptographic inventory and the Cryptographic Bill of Materials

There are different approaches for building and managing a cryptographic inventory, but adopting a structured, machine-readable representation of cryptographic assets, such as the CBOM, is highly recommended.

CBOM is a specialized extension of an SBOMFootnote 4 that focuses exclusively on cryptographic assets. Essentially, it is a detailed list in a machine-readable format that describes cryptography in use along with metadata. It can track dependencies between algorithms and provide a way to associate both traditional and quantum security vulnerability scores with identified assets.

Beyond its role as an inventory, the CBOM helps increase the visibility of cryptographic assets across the organization and supports risks assessment. It allows organizations to evaluate quantum vulnerability, prioritize remediation and identify long-lived assets at risk of HNDL attacks.

Furthermore, because the CBOM can be easily updated throughout systems and applications lifecycles, it helps organizations maintain long-term consistency and control over their cryptographic assets

Hybrid cryptography

In the context of the transition to PQC, hybrid or composite schemes may combine multiple cryptographic algorithms via suitable methods to achieve the desired security for the complete scheme, even if one of the components has been weakened or even broken. For signature schemes, this can be a method such as having 2 or more parallel implemented signature schemes and the complete signature is valid only when all signature components are valid. For key agreement schemes, multiple KEMs are combined to produce a single shared secret, in a so-called KEM-combiner. This tends to involve additional steps beyond computing the individual KEM components and leads to more complicated security analysis for the complete scheme.

The typical use case currently involves combining a traditional, well-tested (albeit not quantum-secure) public key algorithm with a new PQC algorithm to form a post-quantum/traditional hybrid. If the PQC algorithm is appropriately implemented, such schemes provide potential protection against HNDL attacks, while maintaining the current level of security.

Certain hybrid approaches could support long-term security while maintaining backwards compatibility or policy compliance and enabling the introduction of new algorithms across systems. You must carefully assess hybrid approaches to select the appropriate scheme for the desired need.

Operational and cloud technology considerations

Operational technology (OT) networks contain hardware and software that are used to control or monitor the physical world. They are often deployed in industrial or commercial settings to manage and monitor equipment, when doing it manually may not be practical – for example, managing high-voltage output of electrical generators. Although it is recommended that organizations transition their infrastructure to PQC, it may not be possible or feasible to transition machinery that is managed and controlled by OT due to cost or availability. For this reason, other options should be considered.

Segmentation: It may be possible to segment technologies that cannot be transitioned to PQC away from the OT network. This may mean air-gapping an individual device or placing it on an air-gapped network with other systems that cannot be transitioned. Air-gapping technologies reduce, but cannot completely eliminate, the risk of attacks by threat actors. Depending on the OT network design, OT devices may need to communicate outside of the air-gapped network, so segmentation may not be possible. OT networks that are already air-gapped will already provide this security.

Tunnelling: OT infrastructure that cannot be segmented can use tunnelling to protect data in transit. The OT system in question uses a device to perform PQC encryption on its behalf. Examples of this approach include placing a VPN in front of the device or having a reverse proxy server that supports PQC. This approach allows infrastructure to be reachable by the OT network, while protecting the network with PQC.

Many major cloud providers have already started to publish their plans to transition to PQC. If organizations are using a cloud provider for their software or infrastructure, they should communicate with their providers to understand their plans and timelines. When using hybrid cloud environments (a combination of both private and public cloud infrastructure), it will be important to ensure that both clouds continue to work together during the transition. When engaging with new cloud providers, we recommend requiring as part of the procurement contract that the provider support PQC.

Cryptographic assets in operational technology

In OT environments, such as industrial control systems (ICS), cryptographic discovery poses additional challenges compared to traditional IT systems due to limited computational resources, legacy systems and vendor-specific implementations. Moreover, unlike traditional IT, many industrial processes support critical functions that cannot be interrupted, which further complicates analysis activities.

In addition to involving the vendor, suitable approaches could include:

  • Passive network monitoring, to identify which cryptographic protocols and cipher suites are negotiated in ICS/SCADA traffic without impacting the continuity or the integrity of industrial operations,
  • Firmware and configuration inspection, to verify embedded cryptographic mechanisms in programmable logic controllers (PLCs) and industrial systems,

Certification

Certification is a recognition by an independent assessment body that a product meets certain criteria. This can include implementation, evaluation and security assessments, thereby ensuring a high level of security for users and developers in the cyber security landscape. A certification is accompanied by a level of assurance, which corresponds to the more or less thorough depth of the analysis carried out by the evaluator, in accordance with the sponsor's security objectives. Countries or industry sectors may have distinct certification schemes, but some schemes may be mutually recognized or internationally accepted.

For the client and beneficiaries, certification represents a guarantee, often provided by a third-party organization, of the quality, safety or security of a product that they can verify before purchasing it.

The transition to PQC will be long and costly. PQC requirements will need to be included in tenders to ensure the security of products in the coming years.

Countries and industry sectors that have policies or regulations requiring certification benefit when there are multiple certified products with PQC available on the market.

Certification schemes should be adapted to include requirements for PQC as soon as possible. This will involve working with national authorities, centres of expertise and laboratories, as well as solution providers to update regulations, certification processes and products.

Information security management standards

For organizations that use standards as part of managing of their information security, the following table associates sections within this document with relevant standards. You may wish to review the references when performing the transition to PQC. This is not an exhaustive list and the G7 CWG recognizes that your organization may use other standards in place of or in addition to the ones listed below.

Relevant Standards

Publication section Reference
Documentation International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) Standard 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements Annex A, Section 8.32 Change Management
Identifying cryptography ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls Control 5.9, Inventory of Information & Other Associated Assets
Identifying cryptography NIST Cybersecurity Framework 2.0 (PDF) Appendix A. CSF Core Function IDENTIFY,
Category ASSET MANAGEMENT:
ID.AM-01, ID.AM-02, ID.AM-03, ID.AM-04
Testing ISO/IEC 27001:2022 (en anglais seulement), Annex A, Section 8.29 Security Testing in Development and Acceptance
ISO/IEC 27001:2022 (en anglais seulement), Annex A, Section 8.31 Separation of Development, Test and Production Environments
Date modified: