The “Imitation Game”, a 2014 film, describes how Alan Turing was able to crack Enigma, the cryptography system used by the Nazi forces to protect the secrecy of their communications. This mathematical feat was a substantial contributor to the eventual victory of the Allied Forces.
Today, all banking transactions and services are protected by cryptographic systems. But these systems are under threat from a new generation of computers that take advantage of quantum physics. In the near future, these new quantum computers are expected to be able to crack most of the existing cryptographic systems today. How big of a threat are we talking about and how soon will the banks be exposed? What are the authorities doing? What should banks do? These are the questions which will be covered by this article.
Quantum Computers are making the impossible, possible
While classical computers are based on transistors which can have only 2 values at any one time, 0 or 1; quantum computers are based on Qubits, which can have all the values between 0 and 1. This mind-boggling capacity enables quantum computers to make certain complex calculations in a very short amount of time compared to classical computing. Over the past two years, VC firms have poured 3.5 billion dollars worldwide into advancing quantum. Today quantum computers are a reality but their actual calculation powers are still quite weak and it is not yet possible to predict when quantum computers will beat classical computers (what the industry refers to as “the quantum advantage moment”). But many predict that we should be there in less than a generation.
With their massive computation power, quantum computers are predicted to be able to crack most of the cryptographic systems which are widely used by the banking industry to protect all their services and transactions. The day that quantum computers are able to surpass the processing power of traditional computing systems is referred to as "Q-Day". This day poses a significant existential threat to national security, as well as the global financial system, with the Hudson Institute estimating the damage could cost 2 trillion dollars.
Public authorities to define guidelines and recommendations to prevent Q-Day from happening
The public authorities are taking this threat seriously. Many nations, including the USA and China, have launched initiatives to select new cryptographic algorithms capable of resisting quantum computers, so-called Post-Quantum Cryptography or PQC. The USA NIST (National Institute of Standards and Technology) standardization body selected 3 PQC algorithms in August 2024, clearing the way for deployments of these new technologies in the USA and across the West. The US government has already recommended that all federal services migrate to PQC by 2035. In Europe, the ENISA (European Union Agency for Cybersecurity) has released several studies to complement the NIST approach.
In the banking industry, regulators and central banks have already been working on PQC for years. For example, the French and German central banks conducted a pilot named Project Leap, resulting in the successful implementation of a quantum-resistant communication channel that protects financial data. Banking authorities are thus determined to avoid the global meltdown that the breach of cryptography could create. In view of the recent technical progress, it is likely that within the next two years the banking authorities in the USA and in Europe are going to issue mandatory timelines to adopt PQC. In the meantime, they are recommending that banks draw an inventory of their existing cryptographic systems and define a migration strategy to PQC. For example, this is the case of Banque de France’s 2023 report on Payments Security (Observatoire de la Sécurité des Moyens de Paiement 2023). Banks are also experimenting with PQC independently. For example, Wells Fargo has filed several patents and is planning to roll out PQC before 2030.
Moving to PQC is not a question of “if” but a matter of “when”
Why now? At first glance, it may seem premature as there is not even a clear date for the Quantum Advantage Moment yet. Regardless, time is already running short. Firstly, because the migration to PQC is likely to take several years, as cryptography is ubiquitous and the implementation of PQC is rather complex. The first step alone, the inventory of existing encryption systems, might take months (or years) alone.
Secondly, PQC should be in place several years before the Quantum Advantage Moment in order to defend against the "store and decrypt later" strategy of attackers, who can copy encrypted data, keep it in storage and decrypt it later when quantum computers are powerful enough to access the stolen data.
The final stumbling block to overcome is the need to implement the new concept of crypto-agility when migrating to PQC. This means putting in place new systems which will enable the rapid and frequent changes that cryptographic algorithms will need in the future. This is a major shift from the past. Up until now, it was only necessary to modify cryptographic algorithms on an infrequent basis. Why is this crypto-agility now needed? Because no-one knows for sure that the PQC algorithms identified today will really stand the test of time. We may have to change them and when that need comes, we will need to be able to do this quickly.
In France, ANSSI proposed a 3-phase methodology to prepare for the threats posed by quantum computing: preparation until 2025, hybridization of systems between 2025 and 2030, and total implementation of PQC by 2030. The principle of hybridization consists of using current algorithms simultaneously with post-quantum algorithms.
In summary
Quantum computing is confounding. Soon, they will render most existing cryptographic algorithms obsolete. As a result, banks are already being urged by authorities to prepare to migrate to PQC, as this migration promises to be long and complex and the implementation of crypto-agility is especially crucial. This preparation is not just a “nice to have”, as obligations and timelines to migrate are likely to be set within the next two years.
To keep ahead of these developments, Sopra Steria has worked with partners and prepared methodologies and tools to help banks assess their existing cryptography systems and define a potential migration plan to PQC.
In a follow-up article, we will interview Benoît Jouffrey, CTO of Thales DIS, a global leader in digital security to better understand this topic.
Would you like to learn more about quantum technology? Contact our expert Marine Lecomte, who works in the Financial Services Offers and Innovations team at Sopra Steria.