International Association
for Cryptologic Research

Mosca introduced three crucial aspects for real-world cryptography in the quantum computing era: security shelf-life, migration time, and collapse time. While collapse time has been extensively studied, migration time has not received as much attention. Acknowledging the complexity of post-quantum cryptography (PQC) migration, NIST launched the `Migration to Post-Quantum Cryptography' project in June 2022. Migration to PQC involves three primary tasks: inventorying the use of cryptography, analyzing risks and determining migration priorities, and executing migration to PQC. The two tasks of inventorying and migration, in particular, demand capabilities of cryptographic visibility and cryptographic agility, respectively. This is especially important for enterprises that own and maintain numerous IT systems for migration at scale. While participating in NIST's `Migration to PQC' project, we investigated the possibility of using existing open sources to obtain cryptographic visibility and agility. More specifically, we modified or extended the features of existing open-source tools in the DevOps pipeline for automated inventorying of cryptographic usage, and also demonstrated changing cryptographic providers without altering applications making use of the well-designed Java Cryptography Architecture. We have gained a clearer understanding and several findings regarding migration to PQC, and this talk will provide insights for IT service providers as well as open-source community regarding PQC migration. Next, we briefly describe how we can make use of existing tools to gain cryptographic visibility and agility.