The impact of quantum technologies on the payment system

An interview with Oscar Covers, Cybersecurity Analist at the Dutch Payments Association

"In order to make optimal use of
post-quantum cryptography, current protocols will most likely have to be redesigned"

What are the main tasks of the Dutch Payments Association?

The Dutch Payments Association cooperates with its members towards safe, efficient, reliable and accessible payments in the Netherlands. Our members provide regulated payment services: banks and payment institutions. Among others we cooperate to keep electronic payments safe and to prevent fraud. We also assist with setting reliable standards.

What is your job at the Dutch Payments Association?

In the Netherlands we have a common understanding that competition on security makes no sense. Consequently the financial sector works closely together to keep financial services safe and secure, in the Netherlands as well as internationally.

As a cyber security analyst, I interpret internet or cyber threats, together with the experts of financial institutions. We make risk assessments and we look for risk mitigating measures. We share best practices and each member can choose the measures that are most effective for their own organization. In short, I analyze, anticipate and consult.

TU Delft is working on quantum internet and quantum computing. These technologies are expected to have an impact on the security of communication, including the security of electronic payments. Quantum computing may enable breaking encryption of such communication, and quantum internet offers new encryption through quantum key distribution. How realistic are these expectations?

At the end of 2015 we first heard about the developments, opportunities and threats related to quantum computing. Mature quantum computers can be expected by 2030 and we should start to prepare. The Dutch Payments Association has already organized four expert sessions with participants from universities, banks and payment companies and experts in the field of quantum and crypto.

These sessions taught us that the computing power of existing quantum computers is still very limited. Nevertheless, two known quantum algorithms pose a threat to a number of widely used encryption algorithms, if implemented on future powerful quantum computers.

We expect the first practical quantum computers to be deployed in the chemical and medical industries. These applications provide an early warning because to break current encryption algorithms, still more quantum computing power will be needed.

Our approach is to define ‘low regret moves’: steps we can take now without regretting them later on. Quantum key distribution will assure secure communication in a quantum computer era but the solution must also fit economically with business processes. In addition, it is preferable to introduce modifications through regular replacement, as accelerated replacement incurs more expenses.

How is the Dutch Payments Association preparing for the possible impact of quantum technologies on the security of electronic payments?

On a regular basis we will validate the previously defined ‘low regret moves’ and update them if necessary. Examples of these low regret moves are:

• Developing scenarios;

• Selecting encryption systems that are safe in a quantum computer era, known as ‘post- quantum crypto’;

• Gaining experience, for example by implementing post-quantum crypto systems.

This year we decided to make a readiness inventory, listing all the business processes that use encryption. For each business process the encryption algorithm and key length are then specified. We also determine the shelf life and enumerate which post-quantum crypto alternatives are available. Finally we try to set a realistic migration period. How much time does it take to migrate from the current situation to the situation that the business process uses post-quantum crypto?

What can TU Delft offer to the Dutch Payments Association to anticipate the impact of quantum technology?

We would like TU Delft to participate in our regular expert sessions in which we update low regret moves and, if possible, add new ones. In the field of post-quantum cryptography a lot of fundamental research is still being carried out and we have to start thinking about the implementation. We can use some help with that.

We also want to gain experience on a testing environment, when implementing post-quantum cryptography. In order to make optimal use of post-quantum cryptography, current protocols will most likely have to be redesigned. We already know that simply replacing algorithms will lead to very inefficient processes. So again, we can use your help.